Microsoft: Microsoft to pay $20 million to FTC for ‘improperly’ storing Xbox account data of kids – Times of India
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox and limits what information Microsoft can collect and retain about kids. This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
Microsoft has to improve privacy protections for kids
As part of a proposed order filed by the Department of Justice (DoJ) on behalf of the FTC, Microsoft will be required to take several steps to improve privacy protections for kids accessing its Xbox system.
For example, the order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. Moreover, the order also mentions that avatars generated from a child’s image along with biometric and health information, are all covered by the COPPA rule when collected with other personal data. However, this order has to be approved by a federal court before it comes into effect.
As per the COPPA rule, online services and websites directed to children under 13 also need to notify parents about the personal information they collect. These platforms also need to obtain verifiable parental consent before collecting and using any personal information collected from children.
Xbox Live service’s data collection ‘problem’
Microsoft’s Xbox gaming products allow users to play and chat with other players through its Xbox Live service. To access and play games on an Xbox console or use any of the other Xbox Live features, users need to create an account, which requires users to provide personal information including their first and last name, email address as well as date of birth.
The complaint filed by the DoJ notes that even when a user indicated that they were under 13, they were asked to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy until late 2021. As per the complaint, until 2019 the registration page included a pre-checked box which allowed Microsoft to send promotional messages and share user data with advertisers.
Microsoft required anyone who indicated they were under 13 to involve their parent only after these users provided their personal information. The company then allowed the parents of these child users to complete the account creation process before offering the kids their accounts.
The complaint notes that from 2015-2020 Microsoft retained the data (sometimes for years) that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfil the purpose for which it was collected.
After a child makes an account, they can create a profile that includes their “gamertag”. This is the primary identifier which is visible to the user and other Xbox Live users. Users can also upload a picture or include an avatar, which is a figure or image that represents the user.
The complaint accuses Microsoft of combining this information with a unique persistent identifier it creates for each account holder, even children. The company also allegedly shared this information with third-party game and app developers.
Microsoft also allows all users, including children to play third-party games and apps while using Xbox Live by default. However, underage users require parents’ consent to take additional steps to opt-out if they don’t want their children to access them.
The company hasn’t fully complied with COPPA’s notice provisions as it allegedly failed to disclose to parents all the information it collected, such as a child’s profile picture.
Other changes Microsoft needs to make
Apart from the monetary penalty, Microsoft will also be required to make some other changes under the proposed order. The company has to inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default.
Microsoft also has to obtain parental consent for accounts created before May 2021 if the account holder is still a child. The company also has to establish and maintain systems to delete all personal information that it collects from children for the purposes of obtaining parental consent within two weeks.
Microsoft also has to notify video game publishers when it discloses personal information from children that the user is a child. This will require the publishers to apply COPPA’s protections to that child.
For all the latest Technology News Click Here