Microsoft Pays $20m to Settle Another FTC COPPA Case

Written by

Microsoft has become the latest big-name tech firm to agree to pay a multimillion-dollar civil penalty to resolve allegations it violated the Children’s Online Privacy Protection Act (COPPA).

The Federal Trade Commission (FTC) and Justice Department complaint alleged that Microsoft collected personal information from Xbox Live users it knew were children. It claimed the tech giant did so before notifying parents of its data collection practices and before obtaining parental consent.

Read more on COPPA cases: Amazon to Pay $31m After FTC's Security and Privacy Allegations.

The complaint also alleged that:

  • What notice Microsoft did provide to parents was incomplete and not in line with COPPA rules
  • Microsoft retained personal information on children for longer than COPPA permitted, even when they began but did not complete signing up for an Xbox Live account
  • Microsoft failed to disclose to parents all the information it collected, including their child’s profile picture

“This settlement requires Microsoft to clearly communicate with parents about their child’s data and sets up procedures to monitor Microsoft’s compliance with federal statutes regarding children’s online privacy. This work will make children safer online,” said US attorney Nick Brown for the Western District of Washington.

“I commend Microsoft for quickly acknowledging it was illegally collecting and retaining personal data of children younger than 13, and for taking steps to fix the problem.”

As well as paying a $20m penalty, Microsoft will need to take several steps to improve privacy protection for Xbox Live users under 13-years-old.

These include obtaining parental consent for accounts created before May 2021, if the account holder is still a child, and telling parents who have not created a separate account for their child that doing so would generate additional privacy protections.

It will also have to tell video game publishers when it discloses personal information from children that the user is a child – meaning the publishers will need to apply COPPA protections to that user.

Editorial image credit: Framalicious /

What’s hot on Infosecurity Magazine?