The Federal Trade Commission Just announced that Microsoft was fined $20 million “for unlawfully collecting personal information from children who signed up for its Xbox gaming system without parental consent.”
The decision follows a larger decision from December 2022, when Epic Games, developers of Fortnite, fined $550 million for using “privacy-intrusive default settings and deceptive interfaces that misled Fortnite users, including teenagers and children.”
In this case, the FTC says the issue centered around creating accounts for children on an Xbox console, a process that until the end of 2021 would allow a child to enter a number of personal details before asking. the help and permission of a parent. Microsoft kept this data (sometimes for “years”) even though the account had not been created, which is a violation of the Children’s Online Privacy Shield (COPPA) rule.
Microsoft has already responded to the ruling with a job on the official Xbox blog, with Dave McCarthy, CVP Xbox Player Services, saying the breach was the result of a “problem”, and that Microsoft will “continue to improve” in the future:
We recently reached a settlement with the US Federal Trade Commission (FTC) to update our account creation process and resolve a data retention issue found in our system. Unfortunately, we have not met customer expectations and we are committed to complying with the order to continue improving our security measures. We believe we can and should do more, and we will stay true to our commitment to the safety, privacy, and security of our community.
McCarthy goes on to explain the details of this “problem”, and how it led to the children’s data being retained despite it being “inconsistent with our policy of saving this information for only 14 days”:
During the investigation, we identified a technical issue where our systems were not deleting account creation data for child accounts where the account creation process had started but was not completed. This was not in line with our policy of retaining this information for only 14 days to make it easier for players to pick up where they left off to complete the process. Our engineering team took immediate action: we fixed the issue, deleted the data, and implemented practices to prevent the error from happening again. The data has never been used, shared or monetized.
The FTC statementas for him, says:
Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up for its Xbox gaming system without informing their parents or obtaining their parents’ consent, and unlawfully keeping children’s personal information.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox and limits the information Microsoft can collect and maintain about children,” said Samuel Levine, director of the FTC’s Consumer Protection Bureau. . “This action should also make it very clear that avatars, biometrics and children’s health information are not exempt from COPPA.”
As part of a proposed order filed by the Department of Justice on behalf of the FTC, Microsoft will have to take several steps to strengthen the privacy protections of children using its Xbox system. For example, the order will extend COPPA protections to third-party game publishers with whom Microsoft shares children’s data. Additionally, the order clarifies that avatars generated from a child’s image and biometric and health information are covered by the COPPA rule when collected with other personal data. The order must be approved by a federal court before it can take effect.
Article source https://kotaku.com/xbox-microsoft-ftc-illegal-fine-glitch-childres-profile-1850509207