Microsoft responds to $20 million FTC fine over Xbox child accounts

Xbox Avatars
(Image credit: Microsoft)

What you need to know

  • The Children's Online Privacy Protection Act (colloquially known as COPPA) is a regulatory law that dictates how the privacy and identifying information for children under 13 can be collected and handled.
  • The Federal Trade Commission (FTC) charged Microsoft for illegally collecting children's personal information and storing it without parental consent.
  • The charges and subsequent settlement give precedence to the idea that avatars, biometric data, and health information are not exempt from COPPA regulations.
  • Microsoft claims that a technical glitch led to their systems retaining account creation data for child accounts.
  • Microsoft and the FTC have settled, with Microsoft being fined $20 million and agreeing to tighten parental controls for child accounts.

The United States' Federal Trade Commission has settled an order with Microsoft over violations of the Children's Online Privacy and Protection Act (COPPA). The FTC alleged that Microsoft had failed to notify parents about personal data that was collected from accounts created by and for children under the age of 13. COPPA compliance requires online services to notify parents of children under 13 what information is collected and how it will be used. 

Prior to late 2021, any user signing up for an Xbox account was asked for their first and last name, email address, and date of birth along with requests for a phone number. Users were also asked to agree to Microsoft's service agreement and advertising policy. Until 2019, a box that allowed Microsoft to send promotional messages and share user data with advertisers was also present and pre-checked, according to a complained filed by the Department of Justice. 

Users under 13 were not prompted to seek parental consent until after the data had already been submitted. Further details suggest that from 2015 until 2020, Microsoft retained this data even in the event that a parent did not complete the registration process.

Microsoft, via a post on Xbox Wire, has declared that this data retention was due to a technical error discovered by their engineers. In its response, the firm states that its policy is to only save information for 14 days to allow for the completion of the account creation process. Microsoft says its engineers have since fixed the issue and have subsequently deleted the data while putting protections in place to prevent the problem from reoccurring.

(Image credit: Future)

As part of the settlement agreement, Microsoft has been ordered to pay a fine of $20 million, and to make additional changes to its sign-up and data collection practices for children under 13. For child accounts created before May 2021, Microsoft will need to seek parental consent if the account holder is still a child. Additionally, the company will need to notify video game publishers in cases when it provided information about an account belonging to a child under 13, and the publisher will then be required to apply COPPA protections to that account. 

In its response, Microsoft said that changes to sign-ups for child accounts are now in effect, including earlier parental consent requirements that will appear before users are prompted to share identifying information. It's also stated that child accounts created before May 2021 will be asked for parental consent before further Xbox activity can resume.

Further, Microsoft has committed to being transparent around the safety and privacy of child accounts and points towards the recently released Privacy Prodigy for Minecraft. This continuation of its CyberSafe series teaches children about privacy and protecting sensitive information while using the internet. Minecraft CyberSafe: Home Sweet Hmm and Minecraft CyberSafe: Privacy Prodigy are both available on Minecraft: Education Edition and Minecraft Bedrock for free.

Microsoft has also updated the Xbox Family Hub to provide information to parents on how to create a family group, manage child accounts, and further explain safety measures that can be found in the Xbox Family Settings App.

Cole Martin

Cole is the resident Call of Duty know-it-all and indie game enthusiast for Windows Central. She's a lifelong artist with two decades of experience in digital painting, and she will happily talk your ear off about budget pen displays.