The Federal Trade Commission just announced that Microsoft was fined $20 million “for illegally collecting personally identifiable information from children who signed up for the Xbox gaming system without their parents’ consent.”
The verdict follows a larger December 2022 verdict when Epic Games, developers of Fourteen days, were fined $550 million for using “privacy-hostile defaults and deceptive interfaces that cheat”. Fourteen days users, including adolescents and children”.
In that case, according to the FTC, the issue revolved around the creation of child accounts on an Xbox console, a process that would allow a child by the end of 2021 to enter a certain amount of personal information before requiring a parent’s help and permission. Microsoft retained this data (sometimes “years”) even if the account was not created, in violation of the Children’s Online Privacy Protection Rule (COPPA).
Microsoft has already reacted to the verdict with one post on the official Xbox blog, where Dave McCarthy, CVP Xbox Player Services, said the breach was the result of a “bug” and that Microsoft will “keep improving” in the future:
We recently reached a settlement with the US Federal Trade Commission (FTC) to update our account creation process and to fix a data retention error identified in our system. Regrettably, we have not met our customers’ expectations and we strive to comply with the order and continue to improve our security measures. We believe we can and should do more, and we will remain steadfast in our commitment to security, privacy and protection for our community.
McCarthy goes on to explain the details of this “failure” and how it resulted in data being retained from children, even though it “contradicted our policy of only retaining this information for 14 days”:
During the investigation, we identified a technical error where our systems did not delete the account creation data for child accounts that started but did not complete the account creation process. This went against our policy of only retaining this information for 14 days to make it easier for players to pick up where they left off to complete the process. Our technical team took immediate action: we fixed the error, cleared the data and implemented measures to prevent the error from happening again. The data was never used, shared or monetized.
The FTC statementsays meanwhile:
Microsoft will pay $20 million to settle Federal Trade Commission allegations that the company violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children logging on to its Xbox game system without notifying their parents or obtaining their consent illegal storage of children’s personal information.
“Our proposed arrangement makes it easier for parents to protect their children’s privacy on Xbox and limits what information Microsoft can collect and store about children,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “This action should also make it clear that children’s avatars, biometrics and health information are not exempt from COPPA.”
Under a proposed order filed by the Justice Department on behalf of the FTC, Microsoft must take several steps to improve privacy protections for child users of its Xbox system. For example, the order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. In addition, the regulation clarifies that avatars created from a child’s image, biometric and health information fall under the COPPA rule when collected together with other personal data. The order must be approved by a federal court before it can become effective.