Microsoft will pay US federal regulators $20m (£16m) after it was discovered that it unlawfully collected data on minors who created Xbox accounts.
Monday, the Federal Trade Commission (FTC) and the company reached a settlement that includes enhanced protections for juvenile gamers.
The FTC found that Microsoft, among other violations, neglected to inform parents about its data collection policies.
It follows a similar action taken last week against Amazon for its Echo devices.
Microsoft violated the Children’s Online Privacy Protection Act, according to the FTC, by failing to obtain parental consent and by retaining personal information on children under 13 for longer than necessary for accounts created prior to 2021.
The law requires online services and websites that target children to obtain parental consent and inform parents about the collection of their children’s personal information.
Users of Xbox must establish an account to access certain services. During registration, details such as full name, email address, and date of birth are collected.
After obtaining confidential information, such as the child’s phone number, Microsoft did not request parental consent.
From 2015 to 2020, Microsoft retained data “sometimes for years” from account setup, even if a parent did not conclude the process, according to a statement from the FTC.
In addition, the company neglected to inform parents about the data it was collecting, including the user’s profile image, and its distribution to third parties.
