Xbox has suffered a blow this week, as the U.S. Federal Trade Commission has announced that Microsoft has been forced to pay $20 million for a privacy breach involving children's personal information.
In the FTC's press release, it's explained that Microsoft "violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information."
As a result, Microsoft is being required to abide by the following rules moving forward:
- Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
- Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
- Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
- Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
Xbox has responded to the FTC's order, explaining that the team has "children’s safety and privacy top of mind", and that the account creation process now requires anyone under the age of 13 to obtain verified parental consent.
"Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community."
It's also mentioned that a "technical glitch" was behind the retention of certain child account data, and this has since been fixed. Microsoft says the data was "never used, shared, or monetised".
"During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed. This was inconsistent with our policy to save that information for only 14 days to make it easier for gamers to pick up where they left off to complete the process.
Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring. The data was never used, shared, or monetized."
The rest of Xbox's response goes into detail about how the team plans to "remain steadfast in our commitment to safety, privacy, and security for our community", which includes testing new methods to validate age in the future. The Microsoft Privacy Statement has also been updated with the last information about "how Xbox processes user data.
"We want all parents, caregivers, and families to know that, more than anything else, we have their children’s safety and privacy top of mind. We will continue to communicate the changes we are making to our practices and the data we collect so we can better protect children using our platform. We also continue to explore creative ways to educate players about online safety."
If you want to read the full Xbox response to the FTC, you'll find it on the official Xbox Wire website.