According to an FTC statement, the Xbox sign-up process violates the Children’s Online Privacy Protection Act because it collects children’s personal information without notifying their parents and getting their permission.
Xbox was also accused of “illegally retaining children’s personal information”, something the company has admitted and described as a “technical glitch”.
The issue, which was mainly remedied in late 2021, revolved around the process required when signing up for an Xbox Live account.
When a user signed up for an account they had to provide their full name, email address and date of birth. Even if this date of birth showed the user was under 13, they were still asked to provide more personal information including their phone number.
Until 2019, this also included a pre-checked box agreeing to receive promotional material and to let Microsoft send user data to advertisers.
Only after this information was provided did the process then require anyone under 13 to get a parent to complete the rest of the account creation process. However, according to the FTC’s complaint, from 2015 to 2020 the child’s data was still retained even if the process wasn’t completed, sometimes for years.
Proposed order will require Microsoft to bolster protections for children; makes clear that avatars generated from kids’ image and biometric and health data are protected under the Children’s Online Privacy Protection Act (COPPA) /2
— FTC (@FTC) June 5, 2023
In a statement on the Xbox website addressing the $20 million settlement, CVP of Xbox Player Services Dave McCarthy referred to the issue as a “data retention glitch” and said: “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures.”
McCarthy explained: “During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed.
“This was inconsistent with our policy to save that information for only 14 days to make it easier for gamers to pick up where they left off to complete the process.
“Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring. The data was never used, shared, or monetised.”
He added: “Since the FTC settlement, we have updated our account creation process, which now requires players to first identify date-of-birth and, if under 13 years old, obtain verified parental consent before providing us with any information such as phone number or email address.
“This updated process ensures that we can identify potential child accounts immediately and make clear to parents and caregivers the next steps to protect their children’s data and play safely on our network.
“Over the coming months, players who are under the age of 13 and created an account prior to May 2021 will require parental reconsent – meaning a parent will be prompted to reverify the account and grant permission for their child to continue gameplay and activity on Xbox. We are committed to making this process as seamless as possible.”
Epic Games recently agreed to pay over half a billion dollars to settle a pair of complaints brought against it by the FTC, which accused the Fortnite maker of violating children’s privacy and tricking players into incurring unwanted charges.