Xbox Charged With Illegally Collecting Children's Data — Fined $20 Million

Tyler Cross
Tyler Cross Senior Writer
Tyler Cross Tyler Cross Senior Writer

Microsoft was charged by the U.S. Federal Trade Commission (FTC) over illegally collecting children’s data while kids played their Xbox, including selling their information to advertisers until 2019. Microsoft agreed to pay a $20 million dollar settlement.

According to the FTC, Microsoft violated COPPA’s consent and data laws up until 2021, which has specific laws about not requiring users under 13 to provide information like email addresses, birthdays, full names, and phone numbers.

“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” the FTC stated. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”

“It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent. … The child’s parent then had to complete the account creation process before the child could get their own account.”

In addition to the $20 million fine, Microsoft is also being made to change its data privacy practices to prevent storing and collecting children’s data, however, the final decision is currently pending.

“According to the complaint, Microsoft failed to fully comply with COPPA’s notice provisions,” the FTC reported. “For example, Microsoft failed to disclose to parents all the information it collected, such as a child’s profile picture.”

In its response, Microsoft said it’s improving its age verification systems while taking steps to ensure parents are more engaged with the account creation process. Microsoft also blamed parts of the problem on a “glitch” that failed to delete the data created for children’s accounts, and it was never sold to advertisers or used.

Microsoft has also stated that it anticipates a pretty hefty $425 million dollar fine later this year from the Irish Data Protection Commission for violating GDPR laws by showing targeted ads to LinkedIn users.

“This is the Commission’s third COPPA action within the last few weeks, following an announcement in mid-May against ed tech provider Edmodo and one last week involving Amazon,” the FTC said.

About the Author
Tyler Cross
Tyler Cross
Senior Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends."