Microsoft will pay $20 million FTC settlement over improperly storing Xbox account data for children

Microsoft is set to pay $20 million to the Federal Trade Commission (FTC) for violating the Children’s Online Privacy Protection Act (COPPA). The Company retained some of the personal information of children for much longer than when the accounts were created, according to a press release,

Microsoft will also have to make some changes as part of a proposed order filed by the Department of Justice (DOJ) on behalf of the FTC. Those changes include telling parents that a separate child account comes with additional privacy protections, requiring parents to give consent for child accounts created before 2021, and setting up parental controls for children’s accounts. -Creating systems to remove data that required obtaining parental consent, and telling other publishers when it “discloses personal information from children that the user is a child,” the press release said.

This is the latest FTC settlement with a video game company over alleged COPPA violations. In December 2022, Fortnite Developer Epic Games reached a $520 million settlement with the FTC, of ​​which $275 million was settled over COPPA violations. Earlier that month, Epic introduced For-Kids Accounts. Fortnite, rocket leagueAnd fell friends,

On Monday, the FTC said that until the end of 2021, when a user created a Microsoft account, the company asked for certain personal information from the parents of an under-13 player before asking them to join in creating the account. But the FTC alleges Microsoft retained that personal data “sometimes for years” even after parents didn’t complete the signup process, which is prohibited by COPPA.

“Sadly, we have not lived up to customers’ expectations and are committed to complying with the order to continue improving our security measures,” said Dave McCarthy, CVP of Xbox Player Services, Microsoft. wrote in an Xbox blog post, “We believe we can and must do more, and we will remain steadfast in our commitment to safety, privacy and security for our community.”

In the post, McCarthy says that Microsoft was not deleting account creation data for child accounts due to a “technical glitch” and that the company has since fixed the glitch and removed the data. According to McCarthy, “the data was never used, shared, or monetized.”