Microsoft is paying $20 million to settle allegations by the US Federal Trade Commission that it violated the Children’s Online Privacy Protection Act (COPPA).
According to Engjet, in a complaint filed by the US Department of Justice on behalf of the Federal Trade Commission, the department has accused the said technology company of collecting the information of Xbox users and keeping them even without the consent of the parents.
In order to be able to use Xbox games and services such as “Xbox Live”, users must register in a user account and provide private information including their full name, email address and place of birth.
Until 2021, Xbox users were asked to add their mobile number and agree to Microsoft’s advertising policy. The US Federal Trade Commission found that Microsoft asked users under the age of 13 for parental consent to create accounts after asking them to provide private information.
It seems that from 2015 to 2020, Microsoft collected and stored the data of underage users even if the parents did not complete the registration form. According to COPPA, online services and websites must obtain parental consent before using any private information from children.
Also, the US Federal Trade Commission has explained that Microsoft combines each user’s gamertag with its persistent and specific identifiers, even for underage users. Dave McCarthy, one of the directors of Xbox Player Services, stated in a blog post that Microsoft intentionally did not maintain children’s user accounts that were not completed by parents. The company had noticed a technical glitch that led to data retention during the investigation. Also, the Microsoft engineering team deleted the information of children affected by the bug after fixing the problem.
In addition to paying $20 million in damages to settle the charges of the Federal Trade Commission, Microsoft must change the process of creating user accounts for underage users as ordered by the US Department of Justice. This big technology company has now updated the mentioned process. Therefore, when filling the form when the person’s date of birth is asked, if necessary, before filling other information, parental consent is requested. Also, in this process, users under the age of 13 who created an account before May 2021 have been asked to reconfirm their parents’ consent in the coming months.
The US Federal Trade Commission has asked Microsoft to create a system to delete all private information collected from children after 2 weeks if parents do not complete the account creation process.
In addition, the federal agency asked the company to warn video game publishers that the shared information about a child must be protected under COPPA laws. In the meantime, Microsoft has made changes to its registration process, which must be approved by the federal court before it becomes effective.