Microsoft to pay $20M settlement for illegally collecting children’s personal data

Microsoft will pay $20 million to settle charges brought by the Federal Trade Commission accusing the tech giant of illegally collecting the personal information of children without their parents’ consent — and in some cases retaining it “for years.”

The federal consumer watchdog said Microsoft violated the Children’s Online Privacy Protection Act (COPPA), the federal law that governs the online privacy protections for children under the age of 13, which requires companies notify parents about the data they collect, obtain parental consent and delete the data when it’s no longer necessary.

The FTC said children signing up to Microsoft’s Xbox gaming service were asked to provide their personal information — including their name, email address, phone number and date of birth — which until 2019 included a pre-filled check box allowing Microsoft to share user information with advertisers. The FTC said Microsoft collected this data before asking for the parent to complete the account setup, but held onto children’s data even if the parent abandoned the sign-up process.

“Only after gathering that raft of personal data from children did Microsoft get parents involved in the process,” said FTC’s Lesley Fair in a corresponding blog post.

As a result, the FTC will require Microsoft to notify parents and obtain consent for accounts created before May 2021. Microsoft will also have to establish new systems to delete children’s personal information if it hasn’t obtained parental consent, and to ensure the data is deleted when it’s no longer needed.

Microsoft did not respond to a request for comment, but Xbox boss Dave McCarthy said in a blog post that the company “did not meet customer expectations” and is “committed to complying with the order to continue improving upon our safety measures.” McCarthy said the reason that Microsoft retained children’s data for longer was because of a “technical glitch,” and that the data was “never used, shared, or monetized.”

The FTC said this was its third COPPA-related enforcement in recent weeks, including a recent action it took against Amazon for keeping Alexa voice recordings “forever” and failing to honor parents’ deletion requests.