Microsoft has been fined $20 million for retaining children's data without parents' consent

US federal law requires providers of online services for children to inform parents about such data
 Microsoft's online gaming service had approximately 120 million monthly active users last December.
 Microsoft's online gaming service had approximately 120 million monthly active users last December.
Photo: Nick Adams (Reuters)
We may earn a commission from links on this page.

Microsoft, which wants to lead the AI revolution, is struggling with a children’s online privacy protection problem.

The Redmond giant will now part with $20 million for failing to secure parental consent to retain—for longer than necessary—personal data of children aged under 13 collected from accounts created before 2021.

US regulator Federal Trade Commission (FTC) found the tech behemoth to have breached sections 312.5 and 312.10 of the Children’s Online Privacy Protection Act. This law “prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.”

The company illegally collected data on children who used its gaming platform Xbox—it asked parents for consent only after collecting their full names, dates of birth, and email addresses to set up accounts.

In a June 5 press statement, the FTC has demanded that Microsoft create and maintain “a system to delete, within two weeks from the collection date, all personal information collected from kids for the purpose of getting parental consent unless the parent grants consent within that time.”

In an Xbox blog post, Dave McCarthy, CVP of Xbox Player Services, regretted failing to meet customer expectations on children’s online privacy. “We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

He attributed the privacy breach to “a technical glitch where our systems did not delete account creation data for child accounts.” McCarthy promised the company will test new ways of validating age in the coming months.

Big Tech can’t be trusted with children’s online privacy

Microsoft’s trouble on this front follows that of Amazon, which was fined $30 million by FTC last week for storing children’s voice and location data for several years and taking no action after parents requested their erasure.

At $170 million, though, Google holds the record for the highest-ever fine paid out by a Big Tech company in this area. In 2019, regulators concluded that its video site YouTube had knowingly and illegally harvested troves of personal data of children and used it to make money through targeted ads.

In March, Meta’s plans to circumvent the law and open Horizon Worlds, its flagship virtual reality platform, to children aged between 13 and 17 faced immense opposition from online privacy and children’s rights activists. They accused the company of “putting profits ahead of children’s safety.”