Microsoft is set to pay the Federal Trade Commission (FTC) $20 million for violating the Children's Online Privacy Protection Act (COPPA). It collected and retained personal information from children signing up to play games on Xbox without notifying parents or obtaining consent. As part of the settlement, Microsoft must also bolster privacy and protection for children on Xbox consoles.

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox and limits what information Microsoft can collect and retain about kids," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."
According to the report, Xbox users under the age of 13 were treated like anyone else. "Even when a user indicated that they were under 13, they were also asked, until late 2021, to provide additional personal information, including a phone number, and to agree to Microsoft's service agreement and advertising policy," the FTC writes. "Which, until 2019, included a pre-checked box allowing Microsoft to send promotional messages and to share user data with advertisers."
Apparently, after supplying personal information, the children were advised to involve their parents.
According to Dave McCarthy, CVP of Xbox Player Services, the issue was "a data retention glitch found in our system." However, age verification checks seemed somewhat lax for children signing up to play games on an Xbox console.
The Xbox team has already released a post outlining its plans to bolster things like identity and age validation, with the Xbox account creation process now beginning with an age check. If someone is under 13, they'll require "verified parental consent," which applies to children under 13 who signed up before May 2021. The Xbox platform generally has several family services and parental features to tap into; for full details on its privacy and data policies, head here.