Microsoft acknowledged it “did not meet customer expectations” and said it has already made changes in the Xbox account verification process for kids under 13 as part of the FTC settlement. (Microsoft Photo)

Microsoft will pay a $20 million fine and change its account verification process for Xbox gamers under 13 as part of a proposed settlement with the Federal Trade Commission.

The settlement, which requires court approval, would resolve charges that Microsoft violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children before notifying parents and obtaining their consent.

The company also retained children’s personal information in volation of COPPA, the FTC said in a complaint made public in conjunction with the settlement agreement, filed in federal court in Seattle.

“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox, and limits what information Microsoft can collect and retain about kids,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a news release. “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA.”

Microsoft has already made a series of changes in the process of verifying child accounts, said Dave McCarthy, the company’s corporate vice president of Xbox Player Services, in a post about the settlement.

“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” McCarthy wrote. “We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

Here are the steps Microsoft is required to take, as described by the FTC:

  • Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child by default;
  • Obtain parental consent for accounts created before May 2021 if the account holder is still a child;
  • Establish and maintain systems to delete, within two weeks from the collection date, all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent and to delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected; and
  • Notify video game publishers when it discloses personal information from children that the user is a child, which will require the publishers to apply COPPA’s protections to that child.

Amazon last week settled an FTC COPPA complaint involving Alexa devices, but said it disagreed with the FTC’s claims and was seeking to resolve the matter and move on.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.