Microsoft settles with FTC for $20 million over Xbox child data violations

Reading time icon 3 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Microsoft will have to pay a hefty sum of $20 million to pay the Federal Trade Commission (FTC). According to a press release by the FTC, the company was found to be violating the Children’s Online Privacy Protection Act (COPPA).

Upon investigation, Microsoft was found to be collecting data from Xbox accounts belonging to children under 13 without their parents’ consent. This is contrary to stipulations by COPPA where online services are supposed to notify parents what data they are collecting from kids under the age of 13 and how the information will be used.

As you might already be aware, to play Xbox games and even use its services, you must first create a personal account and provide your personal details, including your name, date of birth, and email address. Until 2021, users were required to provide contact details and agree to Microsoft’s advertising policy.

The FTC’s investigations further uncovered that Microsoft only asked kids under the age of 13 to get their parents to complete the signup process for them after they had provided their personal credentials. It was also discovered that from 2015 through to 2020, the company allegedly collected and stored the information from the children, despite the parents not completing the account creation process.

As such, this breaches the FTC’s rule where online services are required to have parental consent before using personal data obtained from underage children. Microsoft’s CVP for Xbox Player Services, Dave McCarthy disclosed that the company didn’t intentionally keep the personal data from the underaged kids and indicated that a “technical glitch” caused the issue.

McCarthy further detailed the company made this discovery while looking into this matter and that the engineering team has since resolved the issue and deleted the data retained from the children’s Xbox accounts without parental consent. He added that the data wasn’t used, shared, or monetized anywhere.

Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measure. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.

Moving forward, per the DOJ’s proposed order, Microsoft will be required to streamline its account creation process for children. The company has already tweaked the process and will now require the user to provide their date of birth and, if found to be underage, seek parental consent before proceeding with the account setup process. Additionally, if you created an Xbox account before May 2021 while under the age of 13, you’ll be required to seek for parental consent before continuing to use the services in the next couple of months.