Xbox hit with $20M fine over child privacy violations

Microsoft will pay a $20 million fine after the U.S. Federal Trade Commission charged that it violated children’s privacy rights with its information collection practices of the Xbox Live service.

The FTC announced the penalty on Monday. The monetary settlement covers violations of the Children’s Online Privacy Protection Act of 1998 (COPPA), which involve “children who signed up to [the] Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information,” the FTC said in a statement.

Further, Microsoft must take additional steps to strengthen privacy protections for minor children who use Xbox consoles and Xbox Live, subject to that order’s approval by a federal judge.

COPPA requires online services and websites to notify parents that they collect personal information about children under age 13, and to obtain verifiable parental consent before they do so. In this case, the violations stem from the fact that, even when an Xbox Live user “indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number.”

Additionally, as part of accepting Xbox Live’s terms of use, these children also consented to a pre-checked agreement allowing Microsoft to send promotional messages and share this data with advertisers. Microsoft then retained this data involving under-13 children, another violation of COPPA.

In a blog post Monday, Dave McCarthy, Xbox’s executive in charge of player services, called the matter a “data retention glitch found in our system” and said that “regrettably, we did not meet customer expectations.”

“We believe that we can and should do more,” McCarthy added, “and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

He said that the data-retention violation was an error “inconsistent with our policy to save that information for only 14 days to make it easier for gamers to pick up where they left off to complete the process.” That “glitch” was fixed, and the data since deleted. McCarthy said it was “never used, shared, or monetized.”

Going forward, players under age 13 who created an Xbox Live account before May 2021 will have to reverify their accounts with parental consent.

Microsoft and the FTC are, of course, engaged in another lawsuit — related to Microsoft’s planned $68.7 billion acquisition of Activision Blizzard. In that complaint, the FTC has said the Microsoft/Activision deal “would enable Microsoft to suppress competitors to its Xbox gaming consoles and its rapidly growing subscription content and cloud-gaming business.”

That complaint was filed at the end of 2022; since then, regulators in the European Union announced they approve of the deal. Still, the U.S. action, as well as a thumbs down from the United Kingdom’s Competition and Markets Authority, have kept the deal in limbo. Microsoft and Activision announced the proposed acquisition in January 2022.