Skip to main content

FTC fines Microsoft $20m for illegally collecting children's personal information

Microsoft vows to develop "next-generation identity and age validation" system as it addresses violations of COPPA

Sign up for the GI Daily here to get the biggest news straight to your inbox

At a glance

  • Microsoft to pay $20 million for violating Children's Online Privacy Protection Act
  • Xbox users under 13 years old were asked to provide personal information before parents were notified
  • Platform holder is reaching out to all child users who created an account before May 2021 to secure parental consent

The Federal Trade Commission has ordered Microsoft to pay $20 million after an investigation found that it has been illegally collecting the personal information of children who use its Xbox consoles without parental consent.

The FTC said Xbox has violated the Children's Online Privacy Protection Act by not only gathering this data, but also by illegally retaining it for longer than is necessary.

In addition to the fine, a proposed order filed by the Department of Justice on behalf of the FTC will require Microsoft to take steps to improve the privacy protection for child users on Xbox. This will include extending COPPA protections to any third-party publishers with whom Microsoft shares data.

This order must be approved by a federal court before it can go into effect, although Microsoft has detailed some of the changes it has already made in its own blog post.

The issues raised by the FTC's original complaint includes the fact that the process of creating an Xbox account, which all users must complete in order to play games, involves providing personal information including the user's first name, last name, date of birth and email address. It was only after this data was given that Microsoft indicated the need for parental consent to complete the process if the user was under 13 years old.

Microsoft said it has updated its account creation process, which will now requires players to provide their date of birth first. If the user is younger than 13, parental consent must be obtained before they are asked for a phone number and email address.

The FTC's complaint also observed that from 2015 to 2020, Microsoft retained the data it collected from children during the account creation process, even if a parent failed to complete it. The COPPA forbids the retention of personal information "for longer than is reasonably necessary to fulfill the purpose for which it was collected," according to the Commission.

Microsoft has attributed this to a "technical glitch" that means its systems were not deleting data for child accounts that did not complete the creation process. This has been addressed, the data has been deleted, and Microsoft has taken steps to prevent this from happening again.

The Xbox firm also emphasised that this data was "never used, shared, or monetised."

The FTC has told Microsoft to obtain parental consent for all child accounts created before May 2021 if the user is still under 13, which the company has confirmed it will do.

Microsoft has also pledged to improve its systems by developing a "next-generation identity and age validation" system that will be a "convenient, secure, one-time process."

The platform holder will test new methods for validating users' ages over the coming months and gather feedback to help improve these systems.

Sign up for the GI Daily here to get the biggest news straight to your inbox

Read this next

James Batchelor avatar
James Batchelor: James is Editor-in-Chief at, and has been a B2B journalist since 2006. He is author of The Best Non-Violent Video Games
Related topics