Security News > 2023 > June > Microsoft to Pay $20 Million Penalty for Illegally Collecting Kids' Data on Xbox

Microsoft has agreed to pay a penalty of $20 million to settle U.S. Federal Trade Commission charges that the company illegally collected and retained the data of children who signed up to use its Xbox video game console without their parents' knowledge or consent.

The privacy protections also extend to third-party gaming publishers with whom Microsoft shares children's data, in addition to subjecting biometric information and avatars created from a children's faces to the privacy laws.

Microsoft, per the FTC, violated COPPA's consent and data retention requirements by requiring those under 13 to provide their first and last names, email addresses, dates of birth, and phone numbers until late 2021.

Microsoft chose to retain data collected from children during the account creation step for years even in scenarios where a parent did not complete the signup process, thereby contravening child privacy laws in the U.S. The company has further been accused of creating a unique persistent identifier for underage accounts and sharing that information with third-party game and app developers and explicitly requiring parents to opt out in order to prevent their children from accessing third-party games and apps in Xbox Live.

It also blamed some of the issues to a technical glitch that failed to "Delete account creation data for child accounts where the account creation process was started but not completed," emphasizing that the data was promptly deleted and never "Used, shared, or monetized."

The fines come as Microsoft disclosed it anticipates fines to the tune of "Approximately $425 million" from the Irish Data Protection Commission in the fourth quarter of 2023 for potentially violating the European Union General Data Protection Regulation to serve targeted ads to LinkedIn users.

News URL

https://thehackernews.com/2023/06/microsoft-to-pay-20-million-penalty-for.html