Microsoft has agreed to pay a $20 million fine and change data privacy procedures for children to settle Federal Trade Commission (FTC) charges for violations of the Children’s Online Privacy Protection Act (COPPA) .

COPPA is a US federal law designed to protect the privacy of children under 13 on the Internet by requiring parental consent, the ability to review and request deletion of the child’s personal information, the ability to opt out of data collection, implement security protections for information collected, and more when registering for online accounts.

“COPPA imposes certain requirements on operators of websites or online services directed to children under the age of 13, as well as operators of other websites or online services that have actual knowledge that they are collecting personal information. online with a child under 13,” explains the COPPA Rule.

According to the consumer protection agency, Microsoft collected and stored the personal information of children who signed up for the Xbox Live service without asking their parents’ consent or even informing them.

In some confirmed cases between 2015 and 2020, the FTC says Microsoft stored children’s data on its servers for several years.

Court documents reveal that from January 2017 to December 2021, approximately 218,000 US-based Xbox console users created Microsoft accounts by entering dates of birth indicating they were under 13 years old.

While this is a simple item to help confirm which Xbox users are protected by COPPA, the FTC alleges that Microsoft failed to take appropriate action as proposed by the law, violating several sections of the law.

“Even when a user indicated that they were under 13, they were also required, until the end of 2021, to provide additional personal information, including a telephone number, and to accept the service contract. and Microsoft’s advertising policy, which until 2019 included a pre-checked box allowing Microsoft to send promotional messages and share user data with advertisers, according to the complaint,” reads a statement. FTC press release.

More details on COPPA violations and the evidence collected can be found in the complaint submitted by the United States Department of Justice submitted on behalf of the FTC to the United States District Court for the Western District of Washington.

Along with the monetary penalty, the FTC has proposed steps the tech giant must take to ensure COPPA compliance.

Specifically, Microsoft will now need to implement the following practices:

• Inform parents of the additional privacy protections provided by creating a separate account for their child.
• Obtain parental consent for accounts created before May 2021 if the account holder is still a child.
• Delete all COPPA-protected user personal data if it is no longer needed to provide the services that dictated the original collection.
• Delete all user data stored on its systems that it has collected without obtaining parental consent.
• Delete COPPA-protected user data within two weeks of the date of collection.
• Extend COPPA protections to third-party game publishers that receive user data from Microsoft.
• Extend COPPA protections to biometric and medical information collected to create avatars if that collection is associated with personally identifiable information.

Although both parties have agreed to this settlement, it is still awaiting court approval.

The FTC recently took action to emphasize the importance of technology companies adhering to data privacy regulations, especially those that handle sensitive data of underage users.

Last week, the agency Amazon fined $25 million for ignoring requests from parents to delete their children’s data and continuing to use sensitive user information to train machine learning algorithms.