Business & MarketsCompanies

Microsoft to Pay $20 Million Fine for Violating Children’s Privacy

Save
Microsoft to Pay $20 Million Fine for Violating Children’s Privacy
Microsoft logo on a smartphone placed on displayed Activision Blizzard's games characters on Jan. 18, 2022. (Dado Ruvic/Reuters)
Naveen Athrappully
6/6/2023
Updated:
6/6/2023
0:00

Tech giant Microsoft has agreed to pay a multi-million dollar settlement to the U.S. Federal Trade Commission (FTC) for illegally collecting children’s personal information without parental consent.

The $20 million settlement came after the FTC charged Microsoft for violating the Children’s Online Privacy Protection Act (COPPA). According to COPPA rules, websites and online services open to children below the age of 13 must notify parents regarding the personal information collected. The service should also obtain verifiable consent from parents before collecting and using such information, according to a June 5 FTC press release.

The FTC charged Microsoft for collecting private info from children who signed up for its Xbox gaming system without following COPPA rules while also illegally retaining such data.

“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.

“This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”

In addition to the $20 million monetary penalty, Microsoft is also required to take several steps to boost privacy protections for child users of its Xbox systems.

As part of this, Microsoft has to obtain parental consent for accounts created before May 2021 in case the account holder is still a child.

The company must also notify game publishers while disclosing personal information from children that the user is still a child so that the publishers can apply COPPA protections to such accounts.

FTC’s $20 million fine comes as Microsoft is preparing to pay bigger fines in Europe. In a notification to investors, the company revealed that it expects the Irish Data Protection Commission (DPC) to fine approximately $425 million for violating the European Union’s General Data Protection Regulation (GDPR) rules due to its ad practices.
As part of this, Microsoft has decided to increase its existing reserves to meet the potential fine. The software firm intends to dispute the legal basis as well as the amount of the fine.

Collecting Children’s Data

Microsoft’s Xbox gaming products allow users to play and chat with other users through the Xbox Live service. Users are first required to create an account to access and play games on an Xbox console. This includes providing personal details like first name, last name, email address, and date of birth.

According to the FTC press release, even when users stated they were under 13, the service still asked to provide additional personal information like a phone number until late 2021. In addition, users were also required to agree to the company’s service agreement and advertising policy. Until 2019, this included allowing Microsoft to send promotional messages and share user data with advertisers.

Only after all this information was provided did Microsoft indicate users below the age of 13 to notify their parents. The parents then had to complete an account creation process so that the child could get an account.

Between 2015 and 2020, Microsoft is said to have retained data it collected from children during their account creation process, even when parents failed to create their accounts. COPPA rules prohibit the retention of children’s data once the purpose for which it was collected has been fulfilled.

The Epoch Times has reached out to Microsoft.

Protecting Children Online

Microsoft has previously been criticized for not doing enough to protect children online. In December, Australia’s e-Safety Commissioner Julie Inman Grant revealed that the agency had sent legal demands to major tech firms, including Microsoft, requesting that they provide details about how they tackle the issue of child abuse content and grooming.

Per the commissioner, responses from Microsoft showed that the company failed to proactively detect such material in their storage and streaming services—iCloud and OneDrive. This happened even though Microsoft’s PhotoDNA detection technology is widely available, Grant said.

“PhotoDNA was developed by Microsoft and is now used by tech companies around the world to scan for known child sexual abuse images and videos, with a false positive rate of 1 in 50 billion,” Grant said in a press release on Dec. 15, 2022.
In September, Meta-owned Instagram was fined 405 million euros ($403 million) by the Irish Data Protection Commission after discovering that the platform breached GDPR regulations. Instagram was found to have allowed children to set up business accounts on the platform, making their phone numbers and email addresses public.