Microsoft nabbed by FTC for illegally storing children’s personal data on Xbox


In a case unrelated to their confrontation over the proposed acquisition of Activision Blizzard, the FTC had Microsoft in the crosshairs because of the Xbox console registration process. The commission ruled that it did not comply with the Children’s Online Privacy Protection Act (Children’s Online Privacy Protection Act) because it collected the personal information of the little darlings without asking the authorization of the parents. Microsoft also admitted to having illegally kept the personal information of these children, while pointing the finger at a “ Technical problem “. The issue in question was resolved at the end of 2021 and concerned the procedure for signing up for an Xbox Live account.

Microsoft makes amends

On the surface, this registration procedure might seem trivial, but the first point that made the FTC jump was that it asked for personal information, such as the telephone number, even when the date of birth of the user indicated that was under 13 years old. It was only after having transmitted this information that the child had to ask a parent to complete the process of creating an account. The complaint filed by the FTC, however, reveals that Microsoft kept the child’s personal data even if the creation of the account was not finalized. This state of affairs would have lasted from 2015 to 2020 and resulted, according to Microsoft, from a technical problem in data retention.

Unfortunately, we have not met customer expectations and we are committed to complying with the order in order to continue to improve our security measures. During the investigation, we identified a technical issue that resulted in our systems not deleting account creation data for child accounts whose creation process was initiated but not completed. at its end “explained Dave McCarthy, director of operations at Xbox. Microsoft was supposed to retain personal information for a maximum of 14 days. ” Our engineering team took immediate action: we fixed the issue, deleted the data, and implemented practices to prevent the error from happening again. The data has never been used, shared or monetized reassures McCarthy.

To avoid repeating its error, Microsoft naturally reworked its account creation process. Now, when a player’s date of birth indicates that they are under 13, the system first asks for verified parental consent and it is the parents who are then expected to provide information such as phone number or email-address. Remember that Microsoft is not the first video game giant pinned by the FTC: Epic Games recently agreed to pay $ 520 million to settle two complaints filed against it by the federal commission. It accused the house of Fortnite of violating the privacy of underage players while promoting unwanted spending through deceptive practices.



Source link -114