June 5, 2023
Microsoft Corp. will pay $20 million in civil penalties for violating the Children’s Online Privacy Protection Act for allowing children under 13 to provide personal information—first and last name, email address, and their date of birth—when creating a user account for Microsoft’s Xbox system, without parental consent. Microsoft retained this data even when the account was not finalized, allowing Microsoft to send promotional messages and to share user data with advertisers. Microsoft failed to comply with COPPA’s notice provisions and will be required under the proposed order to clearly communicate with parents about their child’s data and follow set procedures to monitor Microsoft’s compliance with federal statutes regarding children’s online privacy. DOJ, FTC