• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

FTC Will Require Microsoft to Pay $20 million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent


Gold Member
Proposed order will require Microsoft to bolster protections for children; makes clear that avatars and biometric and health data are protected under COPPA

Microsoft will pay $20 million to settle Federal Trade Commission charges that it violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information.

“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”

As part of a proposed order filed by the Department of Justice on behalf of the FTC, Microsoft will be required to take several steps to bolster privacy protections for child users of its Xbox system. For example, the order will extend COPPA protections to third-party gaming publishers with whom Microsoft shares children’s data. In addition, the order makes clear that avatars generated from a child’s image, and biometric and health information, are covered by the COPPA Rule when collected with other personal data. The order must be approved by a federal court before it can go into effect.

The COPPA Rule requires online services and websites directed to children under 13 to notify parents about the personal information they collect and to obtain verifiable parental consent before collecting and using any personal information collected from children. According to a complaint also filed by DOJ, Microsoft violated the COPPA Rule’s notice, consent and data retention requirements.

Microsoft’s Xbox gaming products allow users to play and chat with other players through its Xbox Live service. To access and play games on an Xbox console or use any of the other Xbox Live features, users must create an account, which requires users to provide personal information including their first and last name, email address and their date of birth. Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information including a phone number and to agree to Microsoft’s service agreement and advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers, according to the complaint.

It wasn’t until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent. The child’s parent then had to complete the account creation process before the child could get their own account. According to the complaint, from 2015-2020 Microsoft retained the data—sometimes for years—that it collected from children during the account creation process, even when a parent failed to complete the process. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.

After a child makes an account, they can create a profile that will include their “gamertag,” which is the primary identifier visible to the user and other Xbox Live users, and can also upload a picture or include an avatar, which is a figure or image that represents the user. According to the complaint, Microsoft combined this information with a unique persistent identifier it creates for each account holder, even children, and could share this information with third-party game and app developers. Microsoft allowed—by default—all users, including children to play third-party games and apps while using Xbox Live, requiring parents to take additional steps to opt out if they don’t want their children to access them.

According to the complaint, Microsoft failed to fully comply with COPPA’s notice provisions. For example, Microsoft failed to disclose to parents all the information it collected, such as a child’s profile picture.

In addition to the monetary penalty, Microsoft will be required under the proposed order to:
  • Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
  • Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
  • Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
  • Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.
The Commission voted 3-0 to refer the complaint and proposed federal order to the Department of Justice. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Western District of Washington state.


Gold Member
This reminds me of this Jim Ryan quote, which caused a bit of an uproar at the time, but now looks like one of the sanest decisions Jim took.

I wonder if he knew about the mishappenings on the Xbox side regarding this.



At work the other day I watched a sales staff of the chain of shops I work inside sell an extended warranty to an 11-year old for the gaming headset they were buying 🤣 he was even paying with his own debit card so its not like you could say it was actually a transaction of the parent that was with him.


Oh no, what will MS do?! How can they POSSIBLY pay 20 million dollars? 20 whole freaking million dollars? Sell your stocks everyone, MS is done, bankrupt.

Jesus Christ, if an agency is going to go to the trouble of fining a gigantic corporation, make it hurt. That'd be like fining the average person 20 dollars.


Gold Member
Last edited:


Gold Member
At Xbox, we have the fundamental commitment to provide all players with a safe and secure experience on our platform – and this is especially true for our youngest players. We frequently iterate on our safety measures, in collaboration and with feedback from the community, regulators and partners. We recently entered into a settlement with the U.S. Federal Trade Commission (FTC) to update our account creation process and resolve a data retention glitch found in our system. Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.

Our two decades of safety experience has taught us that all players want, and need, safety and privacy protections. Since 2005, when we launched the first console that could connect players online, we’ve continued to invest in tools and technologies to protect our community. That work evolved into a multifaceted safety strategy. Our suite of safety, privacy and security measures are designed to respect player privacy and safety, and empower players, as well as parents and caregivers, to have control over their gaming experiences.

Below we detail the changes we made to verify child accounts, however, our work on age validation doesn’t stop there. We see an opportunity to further advance safe digital experiences that are accessible, simple to use, and benefit all players. We are innovating on next-generation identity and age validation – a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences. The long-term benefits will be felt by all players, especially children and their families. And while we see this as the future, we anticipate that the entire games industry will as well.

Over the coming months, we will test new methods to validate age and take feedback from our customers’ experience. The learnings from these trials will directly inform advancements in our player identity systems. We are incorporating Microsoft’s insights from across industries to develop a principled approach to secure digital identities that minimizes data collection, prioritizes security, and makes it easier for players to understand how their data is used.

We’ll continue to put players at the center – giving them full control over their online experiences and digital identities. We’ll continue to empower parents and caregivers to exercise appropriate oversight of the gaming experience for their children and families, in addition to tools like the Xbox Family Settings App and child accounts. Child accounts are built for underage players so that parents and caregivers can manage settings, privacy, spending and more. We will continue to be transparent and clear about the actions we take on our service, just as we did when we released our inaugural Transparency Report and second Transparency Report in May.

The Xbox community is our community – one we shape together. As we innovate and trial new experiences, we’ll work with the community to gather feedback so we can create a safer gaming experience together.

What the FTC settlement means for players

Since the FTC settlement, we have updated our account creation process, which now requires players to first identify date-of-birth and, if under 13 years old, obtain verified parental consent before providing us with any information such as phone number or email address. This updated process ensures that we can identify potential child accounts immediately and make clear to parents and caregivers the next steps to protect their children’s data and play safely on our network.

Over the coming months, players who are under the age of 13 and created an account prior to May 2021 will require parental reconsent – meaning a parent will be prompted to reverify the account and grant permission for their child to continue gameplay and activity on Xbox. We are committed to making this process as seamless as possible. We are working hard to ensure that when parents are prompted to reconsent, they will have the information needed to proceed without disruptions to their child’s access. To learn more about setting up a child account, please visit here.

During the investigation, we identified a technical glitch where our systems did not delete account creation data for child accounts where the account creation process was started but not completed. This was inconsistent with our policy to save that information for only 14 days to make it easier for gamers to pick up where they left off to complete the process. Our engineering team took immediate action: we fixed the glitch, deleted the data, and implemented practices to prevent the error from recurring. The data was never used, shared, or monetized.

To more clearly explain what information we collect and how we use it, we updated our Microsoft Privacy Statement, including a dedicated section about how Xbox processes user data. We have also updated our home screen to have a clearly labelled link to the Microsoft Privacy Statement. This link also appears in each area of the service where personal information is collected. Microsoft also provides a privacy dashboard that shares with families what data is collected and used. Players can adjust their privacy settings at any time and child accounts are set to the strongest privacy settings by default. To learn more about Xbox’s privacy features, please visit here.

Additional resources for families

We want all parents, caregivers, and families to know that, more than anything else, we have their children’s safety and privacy top of mind. We will continue to communicate the changes we are making to our practices and the data we collect so we can better protect children using our platform. We also continue to explore creative ways to educate players about online safety.

This past Safer Internet Day, we released Minecraft’s Privacy Prodigy, aimed at teaching young people about privacy and how to safeguard their sensitive personal information. This world is the second chapter in the CyberSafe series, following last year’s release of Minecraft CyberSafe: Home Sweet Hmm, reaching millions of players, with unprecedented downloads of support materials underscoring the demand by teachers and families to teach these critical skills and integrate safer online practices daily. CyberSafe: Home Sweet Hmm and CyberSafe: Privacy Prodigy are both available for free on Minecraft: Education Edition and Minecraft Bedrock.

Our updated Xbox Family Hub shares information about creating a family group, managing child accounts, and helps parents and caregivers understand the safety measures we have in place, such as the Xbox Family Settings App.



Gold Member
Scary that you needed to "reimagine" not exploiting children. But what do I know.


Gold Member
Scary that you needed to "reimagine" not exploiting children. But what do I know.

Speaking of "imagination", their press release makes the FTC/DOJ order and $20 million fine sound like a damn collaboration.

"We frequently iterate on our safety measures, in collaboration and with feedback from the community, regulators and partners."

And this....

"we did not meet customer expectations"

That's the sort of thing you say after shit like Redfall.
Last edited:


Currently Gif and Meme Champion
Slap on the wrist for MS, problem which I am seeing with these kind of fines is that after payment they aren't enforced.


Epic got a 275 million dollar fine about this....
Microsoft made out well.

Proposed order will require Microsoft to bolster protections for children; makes clear that avatars generated from kids’ image and biometric and health data are protected under the Children’s Online Privacy Protection Act (COPPA) /2


I've actually been pretty impressed with how Microsoft handles child accounts.
Last edited:
Top Bottom