Microsoft has been fined $20 million over allegations by U.S. regulators that they collected biometrics and other personal data from children who used the company’s Xbox game consoles.
The Federal Trade Commission (FTC) revealed the order Monday, saying Microsoft must improve how it protects children’s data. The order awaits approval from a federal judge.
“Our proposed order makes it easier for parents to protect their children’s privacy on Xbox and limits what information Microsoft can collect and retain about kids,” explains Samuel Levine, director of the FTC’s Consumer Protection Bureau, in a statement.
“This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from COPPA,” Levine says.
The order would extend Children’s Online Privacy Protection Act culpability to third-party game publishers who receive player data from Microsoft.
It also would clarify that avatars generated from a child’s image, biometric and health information are protected by COPPA.
In a separate complaint, the FTC alleged that Microsoft violated COPPA biometrics rules regarding notice, consent and data retention.
The first of these alleged violations relate to the reported failure of Microsoft to provide adequate notice to parents about personal information collected it would collect from children.
Commissioners also said that how the company obtained verifiable parental consent fell short of COPPA standards as they allowed children to provide personal information without parental involvement.
Finally, the FTC highlighted Microsoft’s alleged non-compliance with COPPA data-retention provisions. The complaint reportedly revealed that Microsoft retained children’s data, including biometrics, collected during the account creation process, even when parent authorization.
The FTC orders come weeks after Microsoft outlined some of the risks of unpoliced biometrics use.