In a recent development, Microsoft has agreed to pay a hefty sum of $20 million to settle charges brought forth by the Federal Trade Commission (FTC) regarding the violation of the Children’s Online Privacy Protection Act (COPPA). The charges alleged that Microsoft collected personal information from children who signed up for its Xbox gaming system without notifying their parents or obtaining their consent, as well as unlawfully retaining children’s personal data. Today, we’ll be looking at the details of the settlement and the steps Microsoft must take to enhance privacy protections for underage Xbox users.

Microsoft’s Xbox Gaming System & COPPA Violations

COPPA mandates that online services and websites catering to children under 13 years old must inform parents about the collection of personal information and obtain verifiable parental consent before using such data. The complaint against Microsoft also revealed violations of COPPA’s notice, consent, and data retention provisions.

Microsoft’s Xbox gaming products offer users the ability to play games and communicate with others via the Xbox Live service. To access and utilize the features of an Xbox console, users are required to create an account and provide personal information such as name, email address, and date of birth. Interestingly, even if a user indicated they were under 13, they were still prompted to provide additional personal information and consent to Microsoft’s service agreement and advertising policy. This practice continued until late 2021.

Significantly, Microsoft only required the involvement of a parent after users had already supplied personal information. However, according to the complaint, Microsoft retained the data collected from children during the account creation process, sometimes for years, even if the parent failed to complete the process—an action strictly prohibited by COPPA.

Failure to Comply with COPPA’s Notice Requirements

Upon creating an account, children could develop a profile, complete with a “gamertag” as the primary identifier visible to themselves and other Xbox Live users. Children also had the option to upload a picture or utilize an avatar to represent themselves. Microsoft combined this information with a unique persistent identifier assigned to each account holder, including children, and shared it with third-party game and app developers. By default, Microsoft allowed all users, including children, to access third-party games and apps through Xbox Live, requiring parents to opt-out if they didn’t want their children exposed to such content.

This all relied on a form of implied consent that children cannot legally provide under COPPA.

The complaint highlighted Microsoft’s failure to adhere fully to COPPA’s notice provisions. Most significantly, the complaint highlighted Microsoft’s failure to inform parents of all data collected on their children, which is a significant COPPA violation.

The Violations and Proposed Order

The Department of Justice, on behalf of the FTC, filed a proposed order that outlines the measures Microsoft must implement to strengthen privacy safeguards for children using the Xbox system. Critically, the order requires that third-party gaming publishers must also follow COPPA regulations when handling children’s data shared by Microsoft. The order also explicitly states that avatars generated from a child’s image, as well as biometric and health information, fall under the purview of COPPA when collected alongside other personal data. However, the order’s effectiveness is contingent on its approval by a federal court.

Requirements & Changes Imposed by the Settlement

In addition to the financial penalty, Microsoft is mandated by the proposed order to undertake various actions. According to the FTC’s official press release, Microsoft must now:

• Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
• Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
• Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
• Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.

What This Means for Now

By extending COPPA protections to third-party gaming publishers and establishing clearer guidelines on avatars and personal data collection, this settlement aims to rectify the past violations and prevent future infringements. The final approval of the proposed order by a federal court is now awaited, marking a crucial step toward safeguarding children’s privacy in online gaming environments.

Online data privacy protection enforcement has only become more frequent and more severe since the adoption of the GDPR in 2018. And when children’s private data is involved, authorities don’t hold back. Fortunately, your company doesn’t have to find itself in the same boat as Microsoft. Get in touch with our team of privacy experts today to learn more about our flagship privacy compliance software, 4Comply.