FTC clamps down on Microsoft over child privacy infringements

Background

The FTC alleged that Microsoft collected personal information from children under the age of 13 through its Xbox Live online service and related products without following the rules set out in COPPA, and in particular that it:

• gathered personal information from children prior to notifying parents and obtaining their consent;
• neglected to inform parents about the specific information collected from children and the purpose for collecting such information;
• failed to notify parents that children's personal information may be disclosed to third parties; and
• retained children's personal information for longer than necessary.

Settlement

As part of the settlement, Microsoft is required to:

• provide notice to adults with a Microsoft account of the Xbox parental controls and family settings;
• obtain valid parental consent in relation to all personal information collected from a child's Microsoft account;
• implement a system for deleting children's data if parental consent is not obtained; and
• maintain and adhere to a retention schedule for children's personal information collected.

According to Reuters, Microsoft has said that it is complying with the FTC's requirements by updating the account creation process and resolving a data retention glitch.

Online services and websites directed at children under 13 in the US should take note of the FTC's strict approach to ensuring COPPA compliance. Most importantly, parents should be made aware of the reasons for collecting their children's personal information, and such information should only be collected after they have given verifiable consent.