The Federal Trade Commission just announced that Microsoft has been fined with 20 million dollars “on charges of unlawfully collecting personal information from children who logged into your gaming system Xbox without the consent of their parents.

The decision follows a larger fine imposed in December 2022 on Epic Games, the developers of Fortnitewho were fined $550 million for using “privacy-invasive default settings and deceptive interfaces that misled Internet users.” Fortniteincluding adolescents and children.

In this case, the FTC says the issue was centered around child account creation on a console Xboxa process that until late 2021 allowed a child to enter a certain amount of personal information before requiring a parent’s assistance and permission. Microsoft had been retaining that data (sometimes for “years”), even if the account was not created, which violates the Children’s Online Privacy Protection Rule (COPPA).

Microsoft has already responded to the decision with a post on the official blog of Xboxwhere Dave McCarthy, Corporate Vice President of Player Services at Xboxsays that the rape was the result of a “mistake” and that Microsoft It will continue to “get better” in the future:

“We recently reached an agreement with the US Federal Trade Commission (FTC) to update our account creation process and resolve a data retention issue found in our system. Unfortunately, we do not meet customer expectations and we are committed to complying with the order to further improve our security measures. We believe we can and must do more, and we will remain steadfast in our commitment to the safety, privacy, and protection of our community.”

McCarthy goes on to explain the details of this “error” and how it led to the retention of the children’s data, despite the fact that this was “inconsistent with our policy of only keeping that information for 14 days”:

During our investigation, we identified a technical error where our systems were not deleting account creation data from child accounts where the account creation process was initiated but not completed. This was inconsistent with our policy of only keeping that information for 14 days to make it easier for players to pick up where they left off to complete the process. Our engineering team took immediate action: we fixed the bug, removed the data, and implemented practices to prevent the bug from happening again. The data was never used, shared or monetized.

For its part, the FTC statement reads as follows:

Microsoft will pay $20 million to settle charges brought by the US Federal Trade Commission (FTC) that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who registered on your gaming system Xbox without notifying their parents or obtaining parental consent, and unlawfully withholding children’s personal information.

“Our proposed order makes it easier for parents to protect the privacy of their children in Xbox and limits the information that Microsoft can collect and hold on children,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action also makes it clear that children’s avatars, biometric data and health information are not exempt from COPPA.”

As part of a proposed order filed by the Department of Justice on behalf of the FTC, you will be required to Microsoft take several steps to strengthen privacy protections for child users of your system Xbox. For example, the order will extend COPPA protections to third-party game publishers with whom Microsoft share the children’s data. Additionally, the order makes it clear that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected together with other personal data. The order must be approved by a federal court before it can take effect.

Via: Kotaku

Editor’s note: It is difficult to regulate this, I think it is also a lack of communication and that these processes are being reviewed. I understand that retaining information helps complete account creation, but it doesn’t make sense for this data to be stored for years.