US FTC Slaps Microsoft with $20M Fine for Mishandling Children’s Data on Xbox

Microsoft finds itself in hot water as the US Federal Trade Commission (FTC) imposes a hefty $20 million fine on the tech giant for unlawfully collecting and retaining personal information of children aged 13 and younger through Xbox registration. The FTC investigation revealed that Microsoft violated the Children’s Online Privacy Protection Act (COPPA) by requesting parental consent after already obtaining users' names, dates of birth, and email addresses.

The FTC highlighted two key concerns: first, Microsoft’s practice of seeking parental consent even after gathering initial personal information, and second, the company’s retention of data from children between 2015 and 2020, regardless of whether parents gave their permission or not. Such actions are clear violations of COPPA’s guidelines, designed to safeguard the privacy of young internet users.

In addition to the significant penalty, Microsoft now faces court-ordered obligations to enhance privacy protections for underage Xbox users. This includes extending COPPA regulations to cover any third-party publishers that receive user data from Microsoft. However, these orders must first be approved by a federal judge before implementation.

In response to the settlement and FTC orders, Microsoft has published a blog post outlining their commitment to address the issue. The company acknowledges the need for players to provide their date of birth during the registration process on Xbox and promises to explore new methods for age verification, actively seeking feedback from customers. Microsoft also attributes the storage of children’s data to a “technical glitch” that has since been rectified, assuring users that appropriate safeguards are now in place to prevent similar incidents in the future.