Microsoft agrees to settle charges over its mishandling of the personal data of children using Xbox Live

Photo (c) Hase-Hoch 2 - Getty Images

Parents are now in full control of what is and isn’t collected

Online services and websites that collect information from children under 13 must notify their parents directly and obtain their permission before they collect that child's information.

Microsoft's Xbox Live failed to do so, violating the Children’s Online Privacy Protection Act (COPPA), according to the Federal Trade Commission (FTC).

To settle those charges, Microsoft has agreed to obtain parental consent before collecting personal information from children's accounts created before May 2021. As part of its efforts to protect children, Microsoft will also inform adult Xbox Live users about its privacy settings.

"As the next generation enters the digital age, their personal data becomes a valuable asset to organizations looking to capitalize on it,” Nicky Watson, co-founder and chief architect of Cassie, a data privacy management company, told ConsumerAffairs.

“The FTC settlement with Xbox Live is keeping organizations accountable for collecting information about minors and increasing transparency about how that information will be used.”

Does your family have an Xbox Live account?

The agency says that any family who subscribes to Xbox Live can create a special account for their children that will give them privacy protections that adults don’t receive.

For example, with a child account, Microsoft is limited in how it shares your child’s information and your child may only communicate with friends that you approve. To review and adjust your child’s privacy settings, go to your Microsoft Privacy Dashboard.

Watson drove home the point that in this case with Xbox Live, both parents and children should be aware of their data privacy rights and how to better understand their preferences, and the FTC is shoulder-to-shoulder with that perspective. The agency says that before a website or online service collects personal information from any child, it has to notify you and get the parent’s permission. The notice must tell the parent:

  • What information the site will collect about your child

  • How it will use the information

  • How to give — or withhold — your consent.

It must also include a link to the privacy policy with more details.

If a parent gives consent, their rights don’t end there. They have the right to review the information that the website or service collects about their child and delete it if they choose. They also have the right to rescind their consent at any time.

To learn more, check out the FTC’s advice about protecting your child’s information online.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.