Microsoft store showing FTC fine for children's privacy

$20 Million Fine Issued to Microsoft by FTC Over Xbox Children’s Privacy Violations

Failure to strictly follow children’s privacy laws on the Xbox Live gaming service is about to cost Microsoft a substantial amount of money, as the company has settled a Federal Trade Commission (FTC) case with a $20 million fine for inappropriate collection and storage of personal data.

The FTC alleges that Microsoft violated the Children’s Online Privacy Protection Act (COPPA) by collecting the personal information of minors prior to the signup step that involved parental permission, and that it retained some of this information for longer than it was supposed to. Pending approval by a federal court, the penalty will also require Microsoft to change the Xbox Live consent, parental notification and data retention practices.

Xbox Live hit with COPPA fine over violations of children’s privacy

When kids play games online with an Xbox console, or when they play on PC via the Xbox Cloud Gaming service, they are asked to create an Xbox Live account to match with and chat with other online players. This requires certain basic personal information such as a full name, email address and date of birth. Until late 2021 all users were also asked to provide a phone number, even if they had indicated that they were 13 or younger. And until 2019, Microsoft attempted to opt users in during the signup process with a pre-checked box that provided consent to data sharing with online advertisers.

All of this data collection came prior to the prompt for children under 13 to have parents complete a parental consent form to activate the account. From 2015 to 2020, whether or not the parent actually completed this process, Microsoft retained the child’s personal data. The children’s privacy complaint states that the data was held for longer than was necessary and permitted under COPPA provisions.

Children’s privacy may have been violated even if they opted out of advertising uses during signup and parents completed the permission process. The unique “gamertag” name that each player picks is paired with a unique identifier that is used for sharing data with third-party developers of games and apps. In some cases, if children were playing games developed by someone other than Microsoft, the parents would have to go through an additional opt-out process to keep personal information from being shared this way. Microsoft also did not disclose to parents that it could collect a picture of the child to go with the gamertag.

The fact that children could have a picture of themselves attached to the gamertag while online appears to be a central element in the terms of the penalty. A picture constitutes biometric facial information, something that COPPA forbids publishers from collecting when it is used in connection with other identifying information. If the order is approved by a federal court, Microsoft will have to obtain updated parental consent for the accounts of children created prior to May 2021 in addition to the fine. It will also have to provide parents with more information about the data it collects from their children, notify third-party publishers when a user is subject to COPPA children’s privacy rules, and hold children’s information for no longer than two weeks after it has been used for its necessary purpose. If parents ultimately do not provide consent, all of the child’s data must be deleted.

About 218,000 Xbox Live accounts impacted

Accounts that are impacted by the children’s privacy violations cited in the complaint reportedly have active dates of January 2017 to December 2021, but there were likely at least some similar issues with accounts created before that (Xbox Live was launched during the first iteration of the console in 2002).

COPPA went on the books in 1998, and a 2004 ruling against Bonzi Software (publishers of then-popular virtual assistant BonziBUDDY) established that it applied to online services and games as well as websites. That case similarly saw the company collect children’s birth dates and fail to provide a clear notice of data collection terms, ultimately costing a civil penalty of $400,000. At the time, that ruling was a record COPPA fine amount; the precedent would be buttressed over the following years by a number of other decisions, including a new record judgment of $170 million for YouTube in 2019 due to applying unique ad tracking identifiers to users under the age of 13.

The FTC has been on something of a roll with COPPA actions as of late, as Nikhil Girdhar, (Senior Director of Data Security for Securiti) notes: “This recent FTC case serves as a stark reminder for businesses about the crucial importance of diligent interpretation and application of privacy laws. Early, explicit consent should be obtained at the outset of data collection, establishing a solid foundation for respectful, lawful use of personal data. To prevent non-compliant data use, businesses must ensure consent and processing purposes are adhered to, not just internally, but also by their vendors. As the scale of data collection expands, manual privacy control enforcement is proving inadequate. Hence, the next logical step is to translate privacy laws into actionable code, enabling automated control mechanisms that enforce data consent, usage, and retention rules consistently and throughout the entire data lifecycle. This would extend to data disposal, ensuring protections are not compromised at any point. To keep up with the ever-growing complexity of managing data risk in this digital era, businesses must strive for an integrated, automated approach to data privacy, rooted in a profound understanding of the data owner and their personal data.”

Recent FTC actions involving children’s privacy include a $25 million fine to Amazon for holding on to data after parents made deletion requests (and feeding it to machine learning algorithms), and a $6 million fine to virtual classroom host Edmodo for failing to obtain parental consent and retaining student data indefinitely. But these actions also illustrate the varying level of deterrence that a COPPA fine presents; Edmodo already shut its doors when the investigation was announced last year, but Microsoft and Amazon will likely absorb their fines with ease given their hundreds of billions of dollars of annual revenue.