Microsoft have agreed to pay $20 million to settle charges with the Federal Trade Commission (FTC). The FTC charged Microsoft with violating the Children’s Online Privacy Protection Act (COPPA). The company collected the data of children who signed up to their Xbox gaming system. However, parents were not notified, and no consent was obtained from them, thereby making the collection of the information illegal.
If the proposed order is approved Microsoft will be required to improve the privacy protections for any children using their Xbox system. Previously third-party gaming publishers would have the personal information shared with them and were not covered by COPPA. This will no longer be the case and even third parties will be subject to COPPA protections. There is an additional measure that any avatar created from a child’s image is also covered by the COPPA Rule.
The complaint against Microsoft says that the company violated the COPPA Rule’s notice, consent, and data retention requirements. This is due to them failing to notify parents about the personal information that was collected and not obtaining parental consent for users under 13.
One of the major concerns addressed in the complaint related to the creation of accounts to access and play games on Xbox consoles and use the Xbox Live features. When an account was created users had to input personal information such as name, email address and date of birth. Users were then additionally asked to provide a phone number and agree to a service agreement and advertising policy. Until late 2021 this was done even when a user indicated they were under 13. Until 2019 the advertising policy also include a pre-checked box that meant Microsoft could send promotional messages and share the data with advertisers.
Only after all this information was collected were parents required to get involved for under 13s. Account creation required completion from a parent before a child could access it. The complaint highlighted that from 2015-2020 the personal information provided in the account creation process was still retained even when a parent failed to complete the account creation. This information was sometimes kept for years.
Following account creation children were able to complete a profile with a “gamertag” and a picture or avatar. Microsoft would then supposedly combine these two and create a unique identifier for every account holder and would share this information with third parties. Parents were not made aware that their child’s profile picture might be collected.
In addition to the agreed payment of $20 million Microsoft will need to implement a number of new measures. This will include better information on children’s accounts for parents and obtaining parental consent for any child accounts created before May 2021. If a child creates an account but it fails to pass through the parental consent stage within two weeks of being created, then a system must be set up to delete that information collected. If they share any child’s information with game publishers, they will need to disclose that to the publishers who will also need to apply COPPA protections.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.