Microsoft has paid $20m (£16.1m) to US regulators after the tech company wrongly collected biometric data from children using its Xbox games consoles.
The software giant collected personal information from under-13 users of the gaming system without notifying parents or obtaining their consent, and illegally retained the data gathered, the US Federal Trade Commission (FTC) found.
In some cases, Microsoft had held onto children’s data for as much as five years before disposing of it, the regulator said as it announced the $20m settlement.
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said: “This action should also make it abundantly clear that kids’ avatars, biometric data, and health information are not exempt from [the Children’s Online Privacy Protection Act].”
The settlement – equivalent to around three hours’ worth of Microsoft’s annual profits – comes amid increasing scrutiny of Big Tech companies’ attitudes towards children’s online safety on both sides of the Atlantic.
Children who tried to sign up for Xbox services online could get as far as submitting personal details before requiring a parent or guardian to complete the signup process on their behalf.
But data submitted up to that point was retained by Microsoft regardless of whether parents allowed their children to continue.
Information collected sometimes included biometric data as well as phone numbers and avatars, according to the regulator. Until 2019 a pre-checked box in the signup process allowed Microsoft to share that data with advertisers.
A Microsoft spokesman said the company would comply with a court-approved settlement order, Reuters reported, adding that a data retention glitch in the company’s systems would be fixed.
Britain’s Online Safety Bill aims to crack down on how big tech companies treat their users’ data, with campaigners saying the proposed law is urgently needed to protect children from online exploitation and surveillance by advertisers.
Critics say the bill reaches too far, however, with WhatsApp and Signal Messenger threatening to leave the UK over anti-encryption proposals in the new law.
Wikipedia has also threatened to shut down in Britain over plans to introduce mandatory age verification for anyone using an online service.
Lucy Crompton-Reid, head of Wikipedia’s UK charitable arm, told the BBC in April it was “definitely possible that one of the most visited websites in the world – and a vital source of freely accessible knowledge and information for millions of people – won’t be accessible to UK readers”.
WhatsApp boss Will Cathcart told The Telegraph in December that the messaging app would also withdraw from the UK rather than comply with the new bill.