Microsoft Fined $20M For Xbox Child Data Collection

Microsoft has reached a $20 million settlement with the Federal Trade Commission (FTC) for violating the Children's Online Privacy Protection Act (COPPA), by gathering, without parental consent, data on children using its Xbox gaming system.

COPPA rules state that sites aimed at children under 13 must notify parents and obtain consent before collecting any personal data, and that even with parental consent, storage of any data on a minor can't be stored longer than is "reasonably necessary," according to the FTC. The FTC said it found Microsoft retained children's data from 2015-2020, often collected from Xbox accounts without parents' permission.

The FTC has proposed an order in coordination with the Department of Justice asking that in addition to the fine, Microsoft must extend COPPA protections to third-party game publishers in the Xbox ecosystem, the FTC added. Regulators also specifically outlined that a child's image, biometric and health information captured by Xbox are likewise covered by COPPA rules.

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," Samuel Levine, Director of the FTC's Bureau of Consumer Protection said in the Microsoft fine announcement. "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."