Microsoft Hit With $20M Illegal Data Storage Fine from FTC

The Xbox owner states that a glitch meant children’s data was illegally retained on its platform.

Microsoft has entered into a settlement with the Federal Trade Commission (FTC) over methods the company used to collect children’s information, how long that information was stored, and how it went about seeking parental oversight.

Both the FTC and Microsoft published blogs detailing the alleged child data storage infractions, including why the charges were brought, the settlement amount and proposed mitigation plans.

Filed by the Department of Justice on the FTC’s behalf, the settlement, accepted by Xbox’s creator and owner, includes requirements for Microsoft to improve its safeguards for children – from initial registration through the end of the data lifespan.

Microsoft Child Protection Violations

In its $20 million settlement, the FTC claimed that Microsoft failed to fulfil its data protection duties under the US’s Children’s Online Privacy Protection Act of 1998.

The FTC’s blog on the settlement describes three key areas where it believes Microsoft violated the Act:

1) by collecting personal information from kids under 13 before seeking parental consent
2) by not tell parents what information the company collects, why it’s collecting it, and that Microsoft discloses some of the data to third parties
3) by retaining children’s personal information for longer than is reasonably necessary

All of these add up to some serious legal and ethical murky waters for the tech giant, and by entering into the $20M settlement agreement, Microsoft is accepting responsibility and agreeing to make proposed changes.

In a statement published by Dave McCarthy, CVP of Xbox Player Services, the company held its hands up to where it could do better, saying: “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

In the same statement, the company said it had identified a glitch during its own internal investigation that meant accounts created, but not completed, were left on the system past its standard 14 day policy.

Delete Your Personal Data From the Web Today

Incogni takes on the data brokers holding your information, so you don't have to.

Microsoft’s Proposed Safeguarding Strategies

McCarthy details some of the ways Microsoft will be delivering an improved age-appropriate user experience.

“We are innovating on next-generation identity and age validation – a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences,” he explains in yesterday’s blog.

McCarthy continues: “Over the coming months, we will test new methods to validate age and take feedback from our customers’ experience. The learnings from these trials will directly inform advancements in our player identity systems. We are incorporating Microsoft’s insights from across industries to develop a principled approach to secure digital identities that minimizes data collection, prioritizes security, and makes it easier for players to understand how their data is used.”

Tightening up security measures in its gaming arm is ever-more important as Microsoft’s acquisition of Activation Blizzard faces objections at government and private level in the US and UK. The proposed takeover is the largest ever in the gaming industry, and while Microsoft faces backlash against the deal’s market fairness and anti-monopoly laws, it has plenty of time – and impetus – to get its child data protection standards up to par.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Originally from Los Angeles, Sarah has lived and worked in four countries, and now calls sunny Manchester (the UK one, not the US one) home. Since her post-grad with the NCTJ in Journalism she's written for national and trade titles across the world, covering everything from construction and hospitality to tech and travel. Her special interest areas are AI and automation, cybersecurity, quantum computing and cats.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals