FTC Says Violations Stem From XBox Live Registration Process
Microsoft will pay $20 million to settle a U.S. federal investigation into whether the computing giant violated children’s privacy protections during the XBox Live registration process.
The Federal Trade Commission accused the company of a slew of infractions including, until 2019, automatically opting children’s accounts into accepting Microsoft promotional offers during the new account set up process before reaching a prompt for obtaining parental permission.
Until August 2021, the video game console registration process also asked children to enter additional information such as a telephone number before reaching the parental notification prompt. The agency says approximately 218,000 Xbox users in the United States self-identified as younger than 13 during the five-year period that ended in December 2021.
Microsoft until October 2020 also indefinitely retained personal information, including from children, of approximately 10 million individuals collected from new account registration processes not fully completed, the federal complaint states.
Online users younger than the age of 13 in are subject to Children’s Online Privacy Protection Act, a 1998 law that requires companies to obtain parental consent before companies can collect data.
A proposed settlement that requires approval by a federal judge calls on Microsoft to delete children’s information from the account registration process within two weeks unless it has obtained parental consent.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said SamLevine, director of the FTC’s Bureau of Consumer Protection.
Within 60 days of the settlement going into effect, the company must also obtain parental consent for children’s accounts. The FTC says Microsoft’s disclosure notices to parents until April 2021 did not fully reveal all the information the computing giant intended to collect, including potentially images of children to display in their accounts.
The settlement also calls for Microsoft to delete all information collected from children within one year of an account suspension.
Representatives of Microsoft did not immediately return a request for comment.