Microsoft has announced that it has reached an agreement with the US Federal Trade Commission (FTC) to regulate the retention of Xbox credentials for children. The US corporation has also pledged to pay $20 million in compensation to the FTC. In addition, Microsoft will need to make some changes as part of a proposed order filed by the Department of Justice (DOJ) on behalf of the FTC.
Microsoft’s breach was that until the end of 2021, when creating an Xbox account, a US corporation would ask for certain personal information before asking the parent of a player under 13 to participate in creating the account. The FTC alleges that Microsoft kept these personal data “sometimes for years,” even if parents didn’t end up completing the registration process, which is prohibited by COPPA (Children’s Online Privacy Protection Act).
On the official Xbox blog, Dave McCarthy of Microsoft (CVP Xbox Player Services) commented on the situation as follows:
Unfortunately, we have not lived up to customer expectations and are committed to complying with the order in order to continue to improve our security measures. We believe we can and should do more and we will remain unwavering in our commitment to privacy and security for our community.
In the post, McCarthy also notes that Microsoft did not delete account creation data for child accounts due to a “technical glitch” and that the company has since corrected that glitch and deleted the data. According to Microsoft, “This data has never been used, shared, or monetized.”