FTC slaps Microsoft with $20 million fine over Xbox data

The Federal Trade Commission (FTC) revealed that Microsoft has agreed to pay a hefty $20 million settlement to resolve allegations of mishandling personal information obtained from children who registered for Xbox accounts. The commission accused the tech giant of violating the Children’s Online Privacy Protection Act (COPPA) by unlawfully retaining personal data, including names and profile pictures, of underage users who initiated the Xbox account creation process but did not complete it.

Responding to the allegations, Dave McCarthy, the Corporate Vice President (CVP) of Xbox player services at Microsoft, acknowledged that a “data retention glitch” had prevented the deletion of the collected personal data. McCarthy emphasized the company’s commitment to user privacy and admitted that more should be done to safeguard sensitive information. As part of the settlement, Microsoft has pledged to implement new policies aimed at informing parents about the storage of their children’s data and promoting the use of parental controls on Xbox.

This settlement is yet another instance of the FTC imposing substantial fines on gaming companies for non-compliance with COPPA regulations. In December of the previous year, Epic Games, the renowned game studio responsible for the popular title Fortnite, paid a staggering $520 million settlement for a similar breach of data privacy. These actions by the FTC underscore the agency’s commitment to enforcing the protection of children’s personal information and maintaining a secure digital environment for young users.

The Children’s Online Privacy Protection Act, enacted in 1998, was designed to safeguard children’s privacy by placing restrictions on the collection, storage, and use of their personal information online. Companies falling under the purview of COPPA are required to obtain verifiable parental consent before collecting any personal data from children under the age of 13.

While COPPA compliance presents unique challenges for online gaming platforms like Xbox, the responsibility to protect young users’ privacy remains paramount. Microsoft’s failure to promptly delete incomplete account information, as highlighted in the settlement, serves as a reminder to companies about the importance of strict adherence to COPPA regulations.

With the rapid growth of the gaming industry and the increasing number of young users, the protection of personal data has become a critical concern. Gaming companies are entrusted with vast amounts of sensitive information, including names, ages, and even voice recordings, making them prime targets for potential data breaches. As a result, maintaining robust data protection measures and complying with applicable privacy laws is of utmost importance to preserve user trust and avoid regulatory penalties.