Communications Litigation Today was a Warren News publication.
‘Glitch’ in System

Microsoft Settles With FTC for $20M Over COPPA Claims

June 7, 2023 by Karl Herchenroeder|Top News

Microsoft will pay $20 million to settle FTC claims the company violated the Children’s Online Privacy Protection Act (COPPA) by collecting kids’ gaming data without parental consent and illegally storing data for years, the agency announced Monday.

The commission voted 3-0 to refer its complaint to DOJ, which filed a stipulated order with the U.S. District Court for the Western District of Washington state. The complaint alleges the company didn’t disclose to parents all the information it collects from children using Microsoft’s Xbox gaming system, including photos, phone numbers and email addresses. The complaint alleges Microsoft retained kids’ data without proper parental consent between 2015 and 2020.

The company used children’s gamer IDs and photos to create unique persistent identifiers for each account holder and shared this information with third parties, the agency said: “Microsoft allowed -- by default -- all users, including children to play third-party games and apps while using Xbox Live, requiring parents to take additional steps to opt out if they don’t want their children to access them.” The settlement should make clear “that kids’ avatars, biometric data, and health information are not exempt from COPPA,” said FTC Consumer Protection Bureau Director Samuel Levine.

The company has since updated its account creation process and resolved a “data retention glitch found in our system,” said Xbox Operations Corporate Vice President Dave McCarthy in a statement. “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

The updated account creation process means users will need to give their date of birth when signing up, said McCarthy: If they’re under 13, they will need to provide verified parental consent before giving Microsoft personal information like phone numbers and email addresses. “This updated process ensures that we can identify potential child accounts immediately and make clear to parents and caregivers the next steps to protect their children’s data and play safely on our network,” said McCarthy.

The proposal requires Microsoft to inform parents that creating a new account for their children will mean stronger privacy protection. The company is required to get parental consent for accounts created before May 2021 if the user is still a minor and implement a new program for deleting data in a timely fashion. Microsoft will inform game publishers “when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child,” the agency said.