Microsoft’s Costly Misstep: $20 Million Settlement for Mishandling Children’s Data on Xbox

In a recent showdown with the U.S. Federal Trade Commission (FTC), Microsoft has found itself on the receiving end of a hefty blow, agreeing to pay a staggering $20 million penalty. The charge? Illegally collecting and retaining the personal data of unsuspecting children who signed up to use its popular Xbox video game console without their parents’ knowledge or consent. This eyebrow-raising settlement highlights the critical need to safeguard children’s privacy and comply with regulations such as the Children’s Online Privacy Protection Act (COPPA).

Caught red-handed, Microsoft faced accusations from the FTC that it had run afoul of COPPA’s consent and data retention requirements. Shockingly, the company had been gathering sensitive information from children — names, email addresses, dates of birth, and even phone numbers — until late 2021, all without obtaining the necessary parental consent. The proposed settlement, currently awaiting court approval, seeks to rectify this issue by demanding that Microsoft revamp its account creation process. The goal is to prevent data collection and storage without the explicit approval of parents, with a strict two-week deadline for obtaining consent. Should approval not be granted within this period, all collected data must be promptly deleted.

To ensure the privacy rights of children extend beyond the Xbox console itself, the settlement stipulates that Microsoft must extend privacy safeguards to third-party gaming publishers who receive children’s data. Additionally, the company is now under strict obligation to abide by privacy laws regarding biometric information and avatars created from children’s faces. These additions underscore the vital message that COPPA regulations do not exempt children’s avatars, biometric data, or health information from stringent privacy standards. With a weighty penalty of $20 million, this settlement serves as a powerful reminder of the consequences of failing to comply with child privacy laws.

Facing the fallout of this privacy fiasco, Microsoft has publicly acknowledged its transgressions and vowed to bolster its age verification systems while actively involving parents in the process of creating child accounts. Though the company has remained tight-lipped about the specifics of these improvements, it is clear that Microsoft intends to take concrete steps to prevent any future breaches. In an attempt to mitigate the damage, Microsoft has attributed some of the blame to a technical glitch that failed to delete account creation data for incomplete sign-ups. However, the company hastens to clarify that the data in question was promptly and definitively deleted, with no evidence of it being used, shared, or monetized.

Microsoft’s settlement is just the latest episode in a growing trend of regulatory actions targeting the video game industry. In December 2022, the developer behind the wildly popular game Fortnite, Epic Games, was slapped with a $520 million settlement for their own COPPA violations. These substantial fines serve as a resounding wake-up call to companies, stressing the urgent need for strict compliance with online privacy laws — especially those designed to shield children from exploitation.

While grappling with the aftermath of this settlement, Microsoft also finds itself bracing for anticipated fines of approximately $425 million from the Irish Data Protection Commission for potential breaches of the European Union General Data Protection Regulation (GDPR). This indicates a wider climate of heightened scrutiny and financial consequences for tech giants that mishandle user data. Amazon, for example, recently faced the FTC’s wrath, resulting in a cumulative $30.8 million fine for privacy lapses concerning its Alexa assistant and Ring security cameras.

Microsoft’s consent to pay a staggering $20 million penalty for its mishandling of children’s data on Xbox serves as a sobering reminder of the consequences that await companies neglecting their responsibility to protect user privacy. This settlement underscores the vital importance of adhering to COPPA requirements and implementing robust safeguards to shield children’s privacy. As regulators worldwide intensify their efforts to enforce data protection laws, it is abundantly clear that tech companies must prioritize and actively safeguard user privacy, taking proactive measures to prevent any potential privacy breaches.