Microsoft settles for $20 million with FTC over Xbox’s collection of children’s data

Microsoft will pay a $20 million penalty after settling charges that it allegedly flouted a federal law barring companies from collecting and retaining children’s personal information without parental consent.

The settlement with the Federal Trade Commission comes in response to charges that Microsoft’s Xbox gaming system illegally gathered and retained children’s personal information without alerting their parents or getting their approval.

“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a prepared statement. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”

COPPA, or the Children’s Online Privacy Protection Act, dates to 1998. The COPPA Rule mandates that online services and websites aimed at children under 13 alert parents about the personal information they collect and obtain parental consent before gathering and using any of that information.

A Department of Justice order filed on behalf of the FTC requires Microsoft to expand COPPA protections to include third-party gaming publishers Microsoft shares children’s data with. The order must be approved by a federal court before it can go into effect, according to the FTC announcement.

Microsoft had no immediate comment on the settlement, but a blog post Monday by Dave McCarthy, the corporate vice president for Xbox player services, blamed the company’s alleged violation of federal law on a “technical glitch.”

“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” McCarthy wrote. “We believe that we can and should do more.”

McCarthy said the glitch has been fixed and the data has been deleted. He added that the children’s information was never used, shared or monetized.

According to the FTC, until late 2021, Microsoft violated COPPA by asking children under 13 for some personal information before involving parents in setting up an account. The FTC alleges that Microsoft in some cases kept that personal data for years — doing so even when the signup wasn’t completed.

The FTC's action on children's data isn't the first against a video game maker. In December 2022, Fortnite developer Epic Games agreed to a $520 million settlement with the FTC in part for allegedly breaking COPPA rules.