Microsoft Fined US$20M for Violating Children's Online Privacy

Microsoft Corporation has agreed to pay a US$20 million civil penalty as part of a settlement with the U.S. Justice Department and the Federal Trade Commission (FTC) for violating children’s online privacy using Microsoft’s Xbox Live service.

Boy Playing XboxMicrosoft allegedly retained personal information of children who started but did not complete creating Xbox Live accounts. (Photo: Victoria Borodinova, PublicDomainPictures, License)According to the U.S. authorities’ statement released on Monday, Microsoft didn’t comply with the Children’s Online Privacy Protection Act (COPPA) and the Children’s Online Privacy Protection Rule (COPPA Rule) which requires companies to obtain parental consent before collecting personal information from children. They  must also provide comprehensive disclosures regarding their data collection practices.

The complaint filed in the U.S. District Court for the Western District of Washington alleges that Microsoft continued to collect personal information from children, such as telephone numbers, despite knowing that some users were younger than 13.

Additionally, the complaint alleged that notices provided to parents were incomplete, failing to meet the requirements outlined in the COPPA Rule.

Finally, the complaint alleged that Microsoft retained personal information of children who started but did not complete creating Xbox Live accounts for longer than permitted by the COPPA Rule.

“It is essential that before collecting children’s personal information, online companies provide complete and timely disclosures about their information collection practices so that parents can make informed decisions,” said Brian Boynton, head of the Justice Department's Civil Division.

“This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA,” said Samuel Levine, director of the FTC's Bureau of Consumer Protection.

The alleged violations of children's privacy laws highlight potential risks to their safety. According to the FTC, unauthorized collection and retention of personal data expose children to threats such as identity theft, cyberbullying, and predatory behavior, all of which are particularly concerning given the vulnerability of young individuals in online spaces.