Microsoft has agreed to pay a fine of $20 million to the Federal Trade Commission (FTC) for violating the Children’s Online Privacy Protection Act (COPPA) by collecting data on children using its Xbox gaming system, without obtaining parental consent. COPPA regulations require notification of parents and obtaining consent before collecting any data on children under the age of 13, and storage of any data on a minor can’t be stored for longer than is “reasonably necessary.”
The FTC discovered that Microsoft had retained children’s data from 2015-2020, often collected from Xbox accounts without parents’ permission, in violation of COPPA. Microsoft’s data retention was found to be non-compliant with the regulatory requirements. The FTC has proposed an order in coordination with the Department of Justice that requires Microsoft to extend COPPA protections to third-party game publishers in the Xbox ecosystem. Regulators also made it clear that a child’s image, biometric and health information captured by Xbox are likewise covered by COPPA rules.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, explained that the proposed order would make it easier for parents to protect their children’s privacy on Xbox, and limit the information Microsoft can collect and retain about kids. This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA, Levine added.
The settlement has also required Microsoft to take action to comply with COPPA by submitting compliance reports to the FTC. The company will also be required to delete all data collected in violation of COPPA regulations.
Microsoft has vowed to work towards maintaining compliance, conveying that it takes data privacy and security very seriously. The company stated that it has dedicated itself to complying with COPPA regulations and other data privacy laws in all aspects of its business. Additionally, Microsoft plans to continue investing in the latest security measures to keep its systems secure and protect the data of its users, especially children.
The settlement is one of many enforcement actions taken by the FTC against companies that violate COPPA. In recent years, the FTC has stepped up its enforcement of COPPA regulations and has taken action against several companies, including Musical.ly, YouTube, and TikTok, for violating the law. These actions should serve as a warning to other companies to review their practices and ensure that they are compliant with COPPA and other privacy regulations.
In conclusion, companies must prioritize complying with privacy regulations and strive to protect the data of all users, especially children. Failure to comply with COPPA and other privacy regulations can result in costly fines and damage to a company’s reputation. It is crucial for companies to implement and maintain effective data privacy and security measures to prevent violations and preserve trust with their users.