Microsoft to pay $20 million FTC settlement over improperly storing Xbox account data for kids

Microsoft is set to pay the Federal Trade Commission (FTC) a $20 million settlement over charges that the company violated the Children’s Online Privacy Protection Act (COPPA). The company retained certain personal information of kids far longer than it should have when they made accounts, according to a press release.

Microsoft will also have to make some changes as part of a proposed order filed by the Department of Justice (DOJ) on behalf of the FTC. Those changes include telling parents that a separate child account comes with additional privacy protections, requiring parents to give consent for child accounts made before 2021, making systems to delete data about necessary to get parental consent for a kids’ account, and telling other publishers when it “discloses personal information from children that the user is a child,” the press release says.

This is just the latest FTC settlement with a video game company over alleged violations of COPPA. In December 2022, Fortnite developer Epic Games reached a $520 million settlement with the FTC, with $275 million of that over the COPPA violations. Earlier that month, Epic introduced for-kids accounts for Fortnite, Rocket League, and Fall Guys.

On Monday, the FTC said that until late 2021, when a user created a Microsoft account, the company asked for certain personal information before asking a parent of an under-13 player to get involved in making the account. But the FTC alleges that Microsoft retained that personal data “sometimes for years” even if the parent didn’t finish the signup process, which is something that’s prohibited by COPPA.

“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” Microsoft’s Dave McCarthy, CVP of Xbox Player Services, wrote in an Xbox blog post. “We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

In the post, McCarthy says that Microsoft wasn’t deleting account creation data for child accounts due to a “technical glitch,” and that the company has since fixed the glitch and deleted the data. “The data was never used, shared, or monetized,” according to McCarthy.