Microsoft Fined $20M After Gov't Learns What It Did to Children Without Parent Permission
The Federal Trade Commission announced a massive fine for Microsoft after it was alleged that the company violated the Children’s Online Privacy Protection Act.
In a Monday release, the FTC made clear that Microsoft had run afoul of a number of infractions, and those infractions amounted to a whopping $20 million fine.
While a $20 million fine may not mean a whole lot in the grand scheme for a company that has already made over $200 billion in revenue (according to Forbes) in 2023 alone, it’s still a hefty fine and involves concerning allegations.
The FTC accused Microsoft of collecting personal information from children without notifying parents or obtaining parental consent, as well as illegally retaining that personal information.
In short, Microsoft was accused of keeping an illegal eye on your children through its Xbox video game system.
The Children’s Online Privacy Protection Act, or COPPA, requires any online service (in this case, the ability to play video games online) or website that can be used by children under 13 to notify parents about the personal information that’s going to be collected.
The COPPA Rule also requires that those same services and/or websites “obtain verifiable parental consent before collecting and using any personal information collected from children.”
According to the original complaint filed against Microsoft, the technology titan violated the COPPA Rule’s notice, consent and data retention requirements.
In effect, the process in which someone would sign up for Xbox’s “Xbox Live” online service includes providing personal information, such as first and last names, email addresses and birthdays.
[firefly_poll]
The FTC release alleged that as recently as 2021, even if a user identified as 13 years old, the Xbox Live service would provide an additional prompt asking for a phone number and to accept Microsoft’s service agreement and advertising policy.
The release also claimed that as recently as 2019, the sign-up also included a pre-checked box that would consent to Microsoft sending promotional material, advertisements and other messages.
Of particular concern, the pre-checked box included language that allows Microsoft to share user data with advertisers.
Once signed up, there was more information to include, such as a public-facing user name and a profile picture. Presumably, both user names and profile pictures could include pertinent personal information related to the child.
The failure to disclose that Microsoft collected those profile pictures was also noted in the complaint.
According to the FTC, Microsoft will be required to:
- Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
- Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
- Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
- Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in the release.
He added: “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”
While the initial outlook certainly isn’t great for Microsoft, it could have been much worse.
Toward the end of 2022, Epic Games, the developer of the popular “Fortnite” video game, reached a $520 million settlement with the FTC over similar accusations that it had violated children’s privacy rights.
This article appeared originally on The Western Journal.
