Microsoft has agreed to pay the Federal Trade Commission (FTC) $20 million after allegedly violating the Children’s Online Privacy Protection Act (COPPA). According to a press release, Microsoft retained personal information of children for an extended period when they created accounts. The company will also have to make several changes, including notifying parents that child accounts come with additional privacy protections, requiring parental consent for child accounts made before 2021, creating systems to delete data necessary to get parental consent for a kids’ account, and informing other publishers when it “discloses personal information from children that the user is a child.” The Department of Justice (DOJ) filed the proposed order on behalf of the FTC.
This is not the first settlement between the FTC and video game companies over alleged COPPA violations. In December 2022, the developer of Fortnite, Epic Games, settled for $520 million, $275 million of which was for COPPA violations. The company also introduced for-kids accounts for Fortnite, Rocket League, and Fall Guys.
The FTC stated that Microsoft asked for specific personal information when creating an account until late 2021 before involving the parent of an under-13 player. However, the FTC alleges that Microsoft retained that data for “sometimes for years,” even if the parent did not complete the signup process. This is a violation of COPPA.
In an Xbox blog post, Microsoft’s Dave McCarthy, CVP of Xbox Player Services, wrote, “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures.” He also added that Microsoft was not deleting account creation data for child accounts due to a “technical glitch,” but the issue has since been resolved, and the data has been deleted. McCarthy also stated that the data was never used, shared, or monetized.
Overall, Microsoft’s settlement with the FTC highlights the importance of complying with COPPA regulations, which aim to protect children’s privacy online. Companies need to be aware of the data they collect and how they store it, especially when children are involved. The settlement also shows that the FTC will not tolerate companies that do not comply with COPPA regulations and are willing to take action against them.