Microsoft has reached a settlement with the US trade regulator over violations of children’s privacy on the Xbox. The company will pay $20 million because young Xbox users did not have to ask their parents for permission.
Microsoft pays $20 million, equivalent to approximately 18.7 million euros, to the American Federal Trade Commission. That’s a settlement; Microsoft thus acknowledges that it has violated the American Children’s Online Privacy Protection Act.
The company collected the data of young users who sign up for Xbox Live. Children who signed up for the service had to provide a first and last name, email address and date of birth. They were then shown the privacy terms, which had to be accepted before the account could be created. Microsoft therefore presented these privacy conditions to all users, regardless of whether they were older or younger than thirteen. Children aged thirteen and younger are required to ask permission from a parent or guardian, but Microsoft had not arranged for this.
Microsoft thus stored the data of children who may have been younger than thirteen for years. This not only concerns their email addresses and dates of birth, but also gamertags and avatars, both of which are linked to an account with a unique identifier. That information could also be shared with third parties and game developers.
In addition to paying the settlement amount, Microsoft must also change the process for creating accounts. The company must inform parents about children who have created an account and ask parents for permission if the user is still under the age of thirteen. From now on, it must also be possible to delete all collected data within two weeks if it turns out that parents have not given permission. Finally, game developers must delete data collected from children through Microsoft.