Microsoft has agreed to pay a $20 million fine to the US Federal Trade Commission to settle charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting the personal information of minors who signed up to the Xbox gaming service without notifying their parents or gaining parental consent.
Unlike PC games, which typically don’t ask for much more than a functional internet connection, Xbox consoles require an Xbox Live account to play online. Basic accounts are free to set up, but of course you have to enter all sorts of personal information in the process, including your full name, address, phone number, and all that sort of thing. There are different types of accounts for different age groups, including Child accounts, which are restricted accounts affiliated with specific Adult accounts for people under the age of 13.
The problem for Microsoft, according to the FTC, is that until late 2021 it required users to enter their personal information even if they were under the age of 13. The signup process also required users, including children, to agree to Microsoft’s advertising policy and terms of service, “which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers.”
It wasn’t until after this point that a parent had to become involved in the process to complete the account creation and enable the child to have their own account—but in cases where the parent did not complete the process, the FTC said that from 2015-2020, Microsoft retained the data collected from the incomplete signup process anyway.
Under the terms of the proposed settlement, Microsoft will pay a $20 million fine and make a number of changes to its Xbox Live signup policies:
Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by defaultObtain parental consent for accounts created before May 2021 if the account holder is still a childEstablish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” FTC Bureau of Consumer Protection director Samuel Levine said. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
Proposed order will require Microsoft to bolster protections for children; makes clear that avatars generated from kids’ image and biometric and health data are protected under the Children’s Online Privacy Protection Act (COPPA) /2June 5, 2023
Under the terms of the proposed settlement, Microsoft “neither admits nor denies any of the allegations,” but only “admits the facts necessary to establish jurisdiction” for the purposes of the deal—in other words, simply put, it didn’t do anything wrong and promises not to do it again.
“At Xbox, we have the fundamental commitment that all players should have a safe and secure experience on our platform,” a Microsoft spokesperson said in a statement sent to PC Gamer. “We recently entered into a settlement with the US Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system. We are committed to complying with the order.
“In addition to our existing multifaceted safety strategy, we also plan to develop next-generation identity and age validation—a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences.”
Much like the famous “depends on the context” meme, $20 million both is, and is not, a lot of money. For me, it would be utterly life-changing if I had it, and utterly life-destroying if I suddenly owed it to a massive government agency because I’d violated federal law. For Microsoft, on the other hand, it’s a drop in the bucket: According to my calculations, it represents approximately 0.1% of the $18.3 billion in net income that Microsoft earned in Q3 FY23—that’s a period of three months, mind—during which it brought in total revenues of $52.9 billion.
(Image credit: Unknown (via Know Your Meme))
Or, to look at it another way, it’s a minor rounding error in Microsoft’s proposed purchase price for Activision Blizzard: Less than one-tenth of the difference between the announced $68.7 million price, and the nicer, no-decimal $69 billion cost that’s sometimes quoted. I’d call that a bargain.
Microsoft and the FTC have both agreed to the proposed settlement, but it won’t go into effect until it’s approved by a US federal court.