Microsoft has entered into a settlement with the Federal Trade Commission (FTC) over methods the company used to collect children’s information, how long that information was stored, and how it went about seeking parental oversight.
Both the FTC and Microsoft published blogs detailing the alleged child data storage infractions, including why the charges were brought, the settlement amount and proposed mitigation plans.
Filed by the Department of Justice on the FTC’s behalf, the settlement, accepted by Xbox’s creator and owner, includes requirements for Microsoft to improve its safeguards for children – from initial registration through the end of the data lifespan.
Microsoft Child Protection Violations
In its $20 million settlement, the FTC claimed that Microsoft failed to fulfil its data protection duties under the US’s Children's Online Privacy Protection Act of 1998.
The FTC’s blog on the settlement describes three key areas where it believes Microsoft violated the Act:
1) by collecting personal information from kids under 13 before seeking parental consent
2) by not tell parents what information the company collects, why it’s collecting it, and that Microsoft discloses some of the data to third parties
3) by retaining children’s personal information for longer than is reasonably necessary
All of these add up to some serious legal and ethical murky waters for the tech giant, and by entering into the $20M settlement agreement, Microsoft is accepting responsibility and agreeing to make proposed changes.
In a statement published by Dave McCarthy, CVP of Xbox Player Services, the company held its hands up to where it could do better, saying: “Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures. We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”
In the same statement, the company said it had identified a glitch during its own internal investigation that meant accounts created, but not completed, were left on the system past its standard 14 day policy.
Microsoft’s Proposed Safeguarding Strategies
McCarthy details some of the ways Microsoft will be delivering an improved age-appropriate user experience.
“We are innovating on next-generation identity and age validation – a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences,” he explains in yesterday’s blog.
McCarthy continues: “Over the coming months, we will test new methods to validate age and take feedback from our customers’ experience. The learnings from these trials will directly inform advancements in our player identity systems. We are incorporating Microsoft’s insights from across industries to develop a principled approach to secure digital identities that minimizes data collection, prioritizes security, and makes it easier for players to understand how their data is used.”
Tightening up security measures in its gaming arm is ever-more important as Microsoft’s acquisition of Activation Blizzard faces objections at government and private level in the US and UK. The proposed takeover is the largest ever in the gaming industry, and while Microsoft faces backlash against the deal’s market fairness and anti-monopoly laws, it has plenty of time – and impetus – to get its child data protection standards up to par.