Microsoft to Pay $20 Million Settlement for 'Illegally' Retaining Children's Information The Federal Trade Commission says Microsoft violated the Children's Online Privacy Protection Act (COPPA) by collecting children who signed up for its Xbox system's information and failing to obtain parental consent.

Microsoft has been ordered to pay the Federal Trade Commission $20 million to settle charges of violating the Children's Online Privacy Protection Act (COPPA).

According to the complaint, the company "illegally" collected the personal information of children who signed up for the Microsoft-owned gaming system Xbox and failed to notify parents or obtain consent. Xbox requires users to sign up before accessing games on the system, meaning individuals must provide sensitive information such as first and last name, email address and date of birth.

Until late 2021, even users who were under 13 were prompted to provide information such as a phone number and agree to the system's terms of service and advertising policy — which, according to the complaint, consisted of a "pre-checked box" giving Microsoft permission to share data with advertisers until 2019.

Only after minors filled out the aforementioned information did the system require users who indicated they were under 13 to obtain parental consent to finalize the signup process. However, according to the FTC, Microsoft still retained data from children, sometimes "for years," even if parents didn't complete the signup process or give consent.

Related: FTC Says Facebook Violated 2020 Privacy Order, Proposes More Protections for Teens and Children

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox and limits what information Microsoft can collect and retain about kids," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement. "This action should also make it abundantly clear that kids' avatars, biometric data and health information are not exempt from COPPA."

In addition to the $20 million penalty, Microsoft will be required to make certain changes to the system to further protect children's information, including obtaining parental consent for children's accounts created before 2021, implementing systems to delete children's data within two weeks of collecting it and notifying gaming publishers that the user is a child before sharing personal information.

"Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures," Dave McCarthy, corporate vice president of Xbox, wrote in a blog post on Monday. "We believe that we can and should do more, and we'll remain steadfast in our commitment to safety, privacy and security for our community."

McCarthy added that children's accounts that did not have parental consent were not deleted because of a "technical glitch" and that "the data was never used, shared or monetized."

Related: Elon Musk Threatens To Sue Microsoft