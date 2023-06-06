Microsoft has agreed to pay $20 million (£16 million) to US federal regulators as part of a settlement after it was discovered that the company had unlawfully gathered data on children who had created Xbox accounts.

The settlement, reached with the Federal Trade Commission (FTC) on Monday, includes additional safeguards for child gamers.

The FTC’s investigation revealed several violations, including Microsoft’s failure to adequately inform parents about its data collection practices.

“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” Microsoft’s Dave McCarthy, CVP of Xbox Player Services, wrote in an Xbox blog post.

“We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

As part of the settlement, Microsoft must also institute new safety protections for children. That includes maintaining a system to delete all personal data after two weeks if no parental consent is obtained.

The order must be approved by a federal judge before it can go into effect.

This action follows a similar case against Amazon last week concerning its Echo devices.

According to the FTC, Microsoft violated the Children’s Online Privacy Protection Act by not obtaining proper parental consent and by retaining personal data of children under 13 for longer than necessary for accounts created before 2021.

The law mandates that online services and websites targeting children must obtain parental consent and inform parents about the collection of personal data regarding their child.

When using Xbox services, users are required to create an account. During the account setup process, information such as full name, email address, and date of birth is collected.

It was only after obtaining personal information, such as the child’s phone number, that Microsoft requested parental permission.

From 2015 to 2020 Microsoft retained data “sometimes for years” from the account set up, even when a parent failed to complete the process, the FTC said in a statement.

The company also failed to inform parents about all the data it was collecting, including the user’s profile picture and that data was being distributed to third parties.

Last week, Amazon agreed to pay $25m after the FTC found that it had retained sensitive data, including voice recordings of children, for years.

Amazon’s doorbell camera unit Ring also agreed to pay out $5.8m after giving employees unrestricted access to customers’ data.

