Microsoft is willing to pay the Federal Trade Commission (FTC) a $20 million settlement over allegations that the company violated the Children’s Online Privacy Protection Act (COPPA). The company kept certain children’s personal information much longer than it should have when they created accounts, according to a press release.
Microsoft will also have to make some changes as part of a proposed order filed by the Department of Justice (DOJ) on behalf of the FTC. These changes include telling parents that a separate child account comes with additional privacy protections, requiring parents to give consent for child accounts created before 2021, creating data deletion systems required to obtain parental consent for a child account , and telling other publishers when it “discloses personal information from children that the user is a child,” the press release said.
This is just the latest FTC settlement with a video game company over alleged COPPA violations. In December 2022 Fortnite developer Epic Games reached a $520 million settlement with the Federal Trade Commission, $275 million of which was for COPPA violations. Earlier that month, Epic introduced accounts for children Fortnite, Rocket Leagueand Autumn boys.
On Monday, the FTC said that until the end of 2021, when a user created a Microsoft account, the company wanted certain personal information before asking a parent of a player under 13 to participate in creating the account. But the FTC alleged that Microsoft kept that personal data “sometimes for years” even if the parent did not complete the registration process, something that is prohibited by COPPA.
“Unfortunately, we fell short of customer expectations, and we are committed to complying with the order to continue to improve our safety measures,” wrote Microsoft’s Dave McCarthy, CVP of Xbox Player Services, in a post on the Xbox blog. “We believe we can and must do more and will remain steadfast in our commitment to safety, privacy and security for our community.”
In the post, McCarthy says that Microsoft did not delete account creation data for child accounts due to a “technical issue” and that the company has since corrected the issue and deleted the data. “The data was never used, shared or monetized,” according to McCarthy.