Microsoft agreed to pay $20 million as part of a settlement with the Federal Trade Commission (FTC) addressing allegations its Xbox video game platform illegally collected and retained the personal information of children.

A proposed order filed Monday by the Department of Justice on behalf of the FTC would require Microsoft to enhance Xbox privacy protections and delete certain data collected from children when parental consent is not obtained in line with the requirements of the Children’s Online Privacy Protection Act (COPPA) Rule.

The order is subject to court approval.

The details: From 2015-20, Microsoft indefinitely retained children’s personal information collected during account creation, even when the account process was not completed, according to the FTC’s complaint. The alleged practice violated COPPA’s requirements regarding retention of children’s data longer than what is “reasonably necessary,” the FTC stated in a press release.

Microsoft was accused of collecting information including first and last names, email addresses, dates of birth, and phone numbers from children under 13 to access Xbox features. It wasn’t until after the information was obtained that the company sought parental consent, according to the FTC.

Microsoft was also faulted by the FTC for having a pre-checked box allowing it to share data with advertisers as part of its service agreement and advertising policy; sharing user avatar details, including those of children, with third-party game and app developers; and failing to disclose to parents all the information it collected.

Compliance considerations: The proposed order requires Microsoft to obtain parental consent, including reconsent, for Xbox accounts created before May 2021 if the account holder is still a child under 13. The company must also establish and maintain systems for deletion of children’s data upon parental request or when retention is no longer necessary and must notify video game publishers when personal information being collected is from a child, thus extending COPPA’s reach to the publishers.

In a blog, Dave McCarthy, corporate vice president of Xbox Player Services, vowed further changes to protect user personal information, including the details of children.

“We are innovating on next-generation identity and age validation—a convenient, secure, one-time process for all players that will allow us to better deliver customized, safe, age-appropriate experiences,” he wrote. “The long-term benefits will be felt by all players, especially children and their families.”

Company response: In his blog, McCarthy noted the improper retention highlighted by the FTC was the result of a technical glitch that has since been fixed.

“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” he wrote. “We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”