Microsoft has agreed to pay a $20 million settlement to US federal regulators following an investigation that revealed the company had illegally collected data on children who had created Xbox accounts. The settlement, reached with the Federal Trade Commission (FTC), also includes enhanced protections for child gamers and stricter compliance with privacy regulations. This comes after a similar action was taken against Amazon last week for violations related to its Echo devices.
The FTC found that Microsoft had violated the Children’s Online Privacy Protection Act by failing to obtain proper parental consent and by retaining the personal data of children under the age of 13 for longer than necessary. The law requires online services and websites directed toward children to inform parents about the collection of personal data and obtain consent.
Insufficient Parental Consent and Data Retention:
Microsoft’s Xbox requires users to create an account for certain services, and during the setup process, information such as full name, email address, and date of birth is collected. However, the company did not seek parental consent until after obtaining personal information, including the child’s phone number. Moreover, between 2015 and 2020, Microsoft retained data from the account setup, even when parental consent was not provided, which the FTC stated was sometimes for years.
Another violation highlighted by the FTC was Microsoft’s failure to inform parents about all the data it was collecting, including the user’s profile picture. The company was also found to have distributed data to third parties without proper disclosure to parents.
Commitment to Improvements and Enhanced Safety Measures:
Microsoft acknowledged its shortcomings and expressed its commitment to complying with the settlement and improving its safety measures. Dave McCarthy, CVP of Xbox Player Services, emphasized the company’s determination to prioritize safety, privacy, and security for the Xbox community. Microsoft aims to meet and exceed customer expectations while safeguarding user data.
In addition to the financial penalty, Microsoft is required to implement new safety protections for children. This includes the establishment of a system that deletes all personal data within two weeks if parental consent is not obtained. However, the settlement order is subject to approval by a federal judge before it can be enforced.
Broader Implications and Recent Cases:
The settlement with Microsoft follows recent actions taken by the FTC against Amazon. Last week, Amazon agreed to pay $25 million for retaining sensitive data, including voice recordings of children, for an extended period. Furthermore, Amazon’s doorbell camera unit, Ring, agreed to a $5.8 million settlement after granting employees unrestricted access to customers’ data.
Conclusion:
The settlement between Microsoft and the FTC highlights the importance of protecting children’s online privacy and complying with regulations. As technology companies face increased scrutiny, maintaining transparency, obtaining proper consent, and implementing robust data protection measures are crucial for safeguarding user information. The outcome of these cases will likely influence industry practices and encourage stricter adherence to privacy regulations in the future.