Microsoft illegally collected and retained children’s data, says FTC

Microsoft is counting the cost of privacy violations, with $20m in fines related to illegal data collection from children’s Xbox accounts. The Xbox manufacturer has reached a settlement with the Federal Trade Commision (FTC), a result which promises to have other console developers looking closely at their privacy policies.

The FTC’s release has this to say:

Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.

The primary issue outlined above, which Microsoft blames on a data retention glitch, is now fixed and Microsoft is taking action to bolster child safety on its gaming platform. Until recently, the creation of a child’s account required a specific amount of personal information to be entered before an adult was needed to assist and grant various permissions. Going back to the FTC release:

To access and play games on an Xbox console or use any of the other Xbox Live features, users must create an account, which requires users to provide personal information including their first and last name, email address and their date of birth. Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint.

Microsoft was holding on to that data even in situations where the account didn’t complete the registration process. From 2015 to 2020 Microsoft retained this data for years. COPPA prohibits the retention of children’s personal information for longer than is “reasonably necessary” to fulfil the purpose for which it was originally collected.

In this case, it’s hard to argue that the data in question needed to be retained. Indeed, an Xbox representative explained that their policy is actually to save the data for 14 days only. From the Xbox portal:

Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring. The data was never used, shared, or monetized.

There are now several areas where Xbox attempts to do a better job of explaining how data is used and retained. The Microsoft Privacy Statement now includes a dedicated section regarding the processing of user data, and the Xbox home screen now includes a “clearly labelled link” to the statement. A new system will be maintained to delete personal data after two weeks if there’s an absence of parental consent. Finally, console owners can visit a privacy dashboard which explains what data is collected and used.

Games consoles are typically very good for granular privacy controls once the system is logged in. You can make profiles private, restrict who communicates with you in game, shield your owned titles from view and much more besides. This is a good example of how things can go wrong even before the system is fully up and running. A costly glitch for Microsoft, but an incremental improvement for children’s privacy.


Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

https://blog.malwarebytes.com/feed/