Microsoft has decided to settle with the Federal Trade Commission (FTC) than go against it in court.
The tech giant recently agreed to settle the charges the FTC made against it for allegedly violating the Children's Online Privacy Protection Act (COPPA) and invading the privacy of the children who signed up for its Xbox gaming system.
Microsoft will also make some changes to its policy as part of a proposed order the Justice Department filed on behalf of the FTC.
Microsoft-FTC Settlement Details
The FTC mentioned in a statement that Microsoft agreed to pay $20 million to settle the privacy violation the FTC charged it with. According to the government agency, Microsoft allegedly collected personal information from children who signed up for its Xbox gaming system without notifying their parents or obtaining their consent.
The government agency stated in its complaint that Microsoft's Xbox gaming system requires users to provide personal information, such as their first and last name, email address, and their date of birth, to sign up for the system. Doing so allows them to access and play games on an Xbox console or use any other Xbox Live features, such as online multiplayer, access and the ability to play games offered in the Xbox Play Pass, and more.
However, even when a user indicated they were under 13, they were asked to provide additional information like their phone number and to agree to Microsoft's service agreement and advertising policy, which included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers until 2019.
This collection of other personal information from users under the age of 13 continued until late 2021, when Microsoft changed its signup policy to have parents involved in the signup process when a prospective user under 13 wants to create an account.
The complaint also stated that Microsoft retained the data it collected from the minors that signed up from 2015 to 2020, even if their parents didn't finish the signup process, which is something COPPA prohibits, per The Verge.
Additionally, Microsoft failed to fully comply with COPPA's notice provisions, such as when the company failed to disclose to parents all the information it collected, such as a child's profile picture, during the signup process.
Microsoft's Other Penalties, Reaction
Aside from the monetary penalty, the FTC will also require Microsoft to inform parents who have yet to create a separate account for their child that Microsoft will provide additional privacy protections for their child by default should they push through with it.
The company is also required to obtain parental consent for accounts created before May 2021 if the account holder is still a child and to Establish and maintain systems to delete all personal information that it collects from children to obtain parental consent within two weeks from the collection date if it has not obtained parental consent.
Microsoft will also be required to delete all other personal data collected from children after it's no longer needed and notify game publishers when Microsoft discloses personal information from children that the user is a child, requiring the publishers to apply COPPA's protections to that child.
Microsoft's Dave McCarthy, CVP of Xbox Player Services, said in an Xbox blog post that the company did not meet customer expectations and is committed to complying with the order to continue improving its safety measures. He added that Microsoft believes it can and should do more to protect children's privacy; it will remain steadfast in its commitment to safety, privacy, and security for our community.
While McCarthy stated in the blog post that a technical glitch prevented it from deleting account creation data for child accounts, the company has since fixed the glitch and deleted the data, adding that the data was never "used, shared or monetized."
Related Article : Microsoft Says CMA Erred in Blocking Activision Acquisition