Xbox Fined $20M for ‘Illegalously’ Recording Children’s Information

Federal Trade Commission just announced Microsoft has reportedly been fined $20 million for “accused of illegally collecting personal information from children signing up for the Xbox game system without their parents’ consent.”

The decision follows a larger decision from December 2022, the developers of Epic Games. Fortnite, Fined $550 million to use “privacy-invading default settings and deceptive interfaces” Fortnite users, including teenagers and children”.

In this example, the FTC says the issue centers around the creation of child accounts on an Xbox console, a process that by late 2021 would allow a child to enter a certain amount of personal information before they need a parent’s help and permission. Microsoft kept this data (sometimes “for years”) even if the account wasn’t created, which violates the Children’s Online Privacy Protection Policy (COPPA).

Microsoft has already provided a response to the decision. to post On the official Xbox blog, Xbox Gamer Services CVP Dave McCarthy said the breach was caused by a “glitch” and Microsoft will “continue to evolve” going forward:

We recently reached an agreement with the US Federal Trade Commission (FTC) to update our account creation process and resolve a data retention issue in our system. Unfortunately, we did not meet customer expectations and we are committed to complying with the mandate to continue improving our security measures. We believe we can and should do more, and we will remain committed to safety, privacy and security for our community.

McCarthy goes on to explain the details of this “disruption” and how it resulted in children’s data being retained despite being “inconsistent with our policy of keeping this information for only 14 days”:

During the review, we identified a technical glitch that caused our systems to not delete account creation data for sub-accounts where the account creation process was initiated but not completed. This was inconsistent with our policy of only saving this information for 14 days to make it easier for players to pick up where they left off to complete the process. Our engineering team took immediate action: we fixed the error, deleted the data and implemented actions to prevent the error from recurring. Data was never used, shared or monetized.

FTC’s statementmeanwhile, he says:

Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up for the Xbox gaming system without their parents’ notice or consent, and illegally storing children’s personal information.

“The regulation we propose makes it easier for parents to protect their children’s privacy on Xbox and limits the information Microsoft can collect and store about children,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it clear that children’s avatars, biometric data and health information are not exempt from COPPA.”

As part of a proposed order filed by the Department of Justice on behalf of the FTC, Microsoft will be asked to take several steps to support the privacy protections for child users of the Xbox system. For example, the order will extend COPPA protections to third-party game publishers with whom Microsoft shares children’s data. In addition, the instruction makes clear that avatars and biometric and health information created from a child’s image are covered by the COPPA Rule when collected together with other personal data. For the decision to take effect, it must first be approved by a federal court.



Leave a Reply

Your email address will not be published. Required fields are marked *