Microsoft pays $20 million in FTC settlement over improperly storing Xbox account information for children


Microsoft plans to pay the Federal Trade Commission (FTC) a $20 million settlement over allegations that the company violated the Children’s Online Privacy Protection Act (COPPA). The company kept certain children’s personal information much longer than they should when creating accounts, according to a press release.

Microsoft will also have to make some changes as part of a proposed injunction filed by the Department of Justice (DOJ) on behalf of the FTC. Those changes include telling parents that a separate child account provides additional privacy protections, requiring parents to provide consent for child accounts created before 2021, creating systems to delete data required to obtain parental consent for a child account, and other publishers tell when it “discloses children’s personal information that the user is a child,” the press release says.

This is just the latest FTC settlement with a video game company over alleged COPPA violations. December 2022, Fortnite developer Epic Games reached a $520 million settlement with the FTC, $275 million of which was for the COPPA violations. Earlier that month, Epic introduced accounts for kids for Fortnite, Rocket LeagueAnd Autumn guys.

On Monday, the FTC said that until late 2021, when a user created a Microsoft account, the company would ask for certain personal information before asking a parent of a player under 13 to get involved in creating the account. But the FTC claims that Microsoft has retained that personal information “sometimes for years” even if the parent has not completed the sign-up process, something prohibited by COPPA.

“Unfortunately, we fell short of customer expectations and are committed to complying with the order to continue improving our security measures,” said Dave McCarthy, CVP of Microsoft’s Xbox Player Services, wrote in an Xbox blog post. “We believe we can and must do more, and we will remain steadfast in our commitment to safety, privacy and security for our community.”

In the post, McCarthy says Microsoft didn’t remove account creation data for child accounts due to a “technical glitch,” and that the company has since fixed the glitch and deleted the data. “The data was never used, shared, or monetized,” McCarthy said.