Microsoft will be paying $20 million to settle U.S. FTC charges that state that the company illegally collected and retained data of children who signed up for an Xbox account without their parents’ knowledge or consent.

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," FTC's Samuel Levine said. "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."

As part of the settlement, the account creation process has been ordered to be updated so that it prevents data from being collected and stored on children. Parental consent will be required, and information will need to be deleted within two weeks if parental approval is not obtained. This guideline also will apply to any third-party publishers that Microsoft shares data with.

According to the FTC, Microsoft violated COPPA’s consent and data retention requirements by requiring children under 13 provide their first name, last name, email address, birth date, and phone number until late 2021. Microsoft also shared this data through 2019 with advertisers.

"It wasn't until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent," the FTC said. "The child's parent then had to complete the account creation process before the child could get their own account."

Microsoft retained the data collected from children during the account creation process, even if a parent did not finish the signup for their child – which violates U.S. child privacy laws.

Additionaly, Microsoft is accused of creating a unique identifier for underage accounts, and sharing data with third-party game and app publishers. Parents would then have to opt-out in order to prevent children from accessing third-party games through Xbox Live.

Although no specifics were given, Xbox has responded by saying that they will improve their age verification system ensure that parents are required throughout the account creation process for their child.

Xbox also noted that a technical glitch occurred, causing a failure to “delete account creation data for child accounts where the account creation process was started but not completed.” They emphasized that the data was never “used, shared or monetized.”

Story via The Hacker News