Microsoft Fined $US20 Million For ‘Illegally’ Collecting Children’s Information On Xbox

The Federal Trade Commission just announced that Microsoft has been fined $US20 million “over charges it illegally collected personal information from children who signed up for its Xbox gaming system without their parents’ consent”.

The ruling follows a larger one from December 2022, when Epic Games, developers of Fortnite, were hit with a $US550 million fine for using “privacy-invasive default settings and deceptive interfaces that tricked Fortnite users, including teenagers and children”.

In this instance, the FTC says the issue centred around the creation of children’s accounts on an Xbox console, a process that, until late 2021, would allow a child to enter a certain amount of personal information before requiring a parent’s assistance and permission. Microsoft had been keeping that data (sometimes for “years”), even if the account wasn’t created, which is a violation of the Children’s Online Privacy Protection Rule (COPPA).

Microsoft has already responded to the ruling with a post on the official Xbox blog, with Dave McCarthy, CVP Xbox Player Services, saying the violation was a result of a “glitch” and that Microsoft will “continue improving” going forwards:

We recently entered into a settlement with the U.S. Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system. Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.

McCarthy goes on to explain the details of this “glitch”, and how it led to the retention of children’s data despite this being “inconsistent with our policy to save that information for only 14 days”:

During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed. This was inconsistent with our policy to save that information for only 14 days to make it easier for gamers to pick up where they left off to complete the process. Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring. The data was never used, shared, or monetized.

The FTC’s statement, meanwhile, says: