Microsoft to Pay $20M to Settle FTC Charges It Violated Children's Privacy

The company illegally collected and retained info collected by its Xbox gaming system, the federal watchdog says.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Children's hands playing a game
Getty Images

Microsoft will pay a $20 million fine to settle Federal Trade Commission charges that it illegally collected and retained personal information from children without their parents' consent, the FTC said Monday.

The company's actions violated the US Children's Online Privacy Protection Act, or COPPA, by gathering data from children -- without notifying their parents or obtaining their permission -- who signed up for the company's Xbox gaming system, the FTC said in a statement.

The FTC's order also requires Microsoft to take steps to strengthen privacy protections for child users of the Xbox system. The order also extends to third-party game publishers Microsoft shares children's data with.

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement. "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."

Privacy protection has become a persistent issue for anyone venturing online as companies store, use and pass along users' personal data, often without informing them or offering clear information on how to avoid that. But there are steps you can take, including following CNET's tips on how to keep Facebook from tracking you, how to prevent yourself from being tracked via your Apple AirTags and how to get Google to remove your personal data from search results.  

Under COPPA, companies are barred from collecting data from children under 13 without the consent of their parents and can't use data collected on children for commercial purposes like marketing or advertising. Any stored data must be adequately protected from possible theft, and companies aren't allowed to retain children's data any longer than necessary.

Microsoft retained data from 2015 to 2020 that it collected during the account creation process, even when a parent failed to complete the process, according to the complaint.

Microsoft said it's committed to complying with the FTC's order.

"In addition to our existing multifaceted safety strategy, we also plan to develop next-generation identity and age validation -- a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences," a Microsoft spokesperson said in a statement.