Microsoft Fined $20 Million by FTC Over Children's Privacy Violations

The Federal Trade Commission (FTC) has announced that Microsoft will be forced to pay $20 million after it "illegally collected personal information from children who signed up for its Xbox gaming system without their parents' consent." The issue was largely fixed in late 2021 but mostly dealt with the processes used when signing up for an Xbox Live account. The processes Microsoft previously used in account generation were found to violate the Children's Online Privacy Act, which is where this fine comes from.

First spotted by VGC, the new notice from the FTC outlines how the organization aims to keep children's info private, while also showing how Xbox Live previously violated the protections. Previously, Microsoft would ask users trying to make an account for various bits of personal information including their telephone number regardless of their age. Users under 13 should not have been given this option under the protections and that has since been fixed. The initial complaint also mentions a pre-checked box at account creation that allowed Microsoft to send promotional messages and share user data with advertisers; however, that was taken out in 2019.

FTC will require Microsoft to pay $20 million over charges it illegally collected personal information from children who signed up for its Xbox gaming system without their parents’ consent: https://t.co/kgm0wFp2zG /1 #privacy

— FTC (@FTC) June 5, 2023

Before the changes, Microsoft asked for all of this data before requiring users under the age of 13 to involve their parents. Because of this, Microsoft retained data from 2015-2020 that collected children's data in ways that went against the protections put in place by the FTC. In addition to the $20 million penalty, Microsoft will also be required to do several things including informing parents about the additional measures Xbox Live is taking to protect children and obtaining parental consent for any "accounts created before May 2021 if the account holder is still a child."

For its part, Microsoft shared on the official Xbox site that it has taken the steps needed to fix these issues, saying that it was a "data retention glitch." They also say that the data gathered "was never used, shared, or monetized." Assuming that's all true, it at least looks like Microsoft is taking the appropriate steps to fix the issue, and has ironed out its processes for the future so that it doesn't happen again.