This Was Not a Glitch. These Were Children.

Let’s be precise about who we are talking about. Kids. Children under 13 years old. Kids who wanted to play video games online. Kids who signed up for Xbox Live because their parents bought them a console for Christmas or a birthday, because their friends were online, because gaming is one of the primary social spaces for young people in the 21st century.

These children did not have the legal capacity to consent to anything. That is the entire premise of COPPA. Congress passed that law in 1998 specifically because children cannot meaningfully understand what they are giving away when they hand over their name, their age, their location, their play habits, and their behavioral data to a corporation. The law puts the decision in the hands of parents. It requires companies to ask, to explain, and to get a yes before collecting a single byte of a child’s personal information.

Microsoft knew this law existed. It has existed for the entire adult life of anyone currently working in tech. There is no world in which a company the size of Microsoft, with an army of lawyers, compliance officers, and government relations staff, did not know that COPPA applied to Xbox Live. The only honest question is why they failed to comply anyway, for years, and what it says about how much they valued the data they were collecting versus the legal rights of the children they were collecting it from.

The settlement does not say how many children had their data collected without consent. It does not say how long the violations went on. It does not say what Microsoft did with that data, who saw it, whether it was sold, whether it was used for advertising profiling, or whether it was ever fully deleted. The FTC’s settlement document closes those doors and moves on. Twenty million dollars changes hands, a permanent injunction is signed, and Microsoft walks out of the courthouse having never once been forced to answer those questions in public, under oath, before a jury.

For the families who trusted a major technology company with their children’s information, the message delivered by this settlement is blunt: your child’s privacy is worth whatever Microsoft calculated it would cost them to keep fighting, and not one cent more.

What the Documents Actually Say: Verbatim

The following quotes are pulled directly from Exhibit B of Case 2:23-cv-00836, the FTC’s official Reasons for Settlement document. No paraphrase. No interpretation added before the quote. The breakdown follows each one.

“This statement accompanies the stipulated order for permanent injunction and civil penalty judgment (‘Order’) executed by defendant Microsoft Corporation (‘Microsoft’) in a settlement of an action brought to obtain civil penalties and equitable relief from Microsoft for engaging in acts or practices in violation of the Children’s Online Privacy Protection Act of 1998 (‘COPPA’), 15 U.S.C. §§ 6501-6506, and the Children’s Online Privacy Protection Rule (‘COPPA Rule’), 16 C.F.R. Part 312.” Exhibit B, Case 2:23-cv-00836, Filed 06/05/23 — FTC Matter No. 1923258

“The Commission believes that the $20 million civil penalty, along with various injunctive provisions, constitutes an appropriate settlement. The civil penalty coupled with injunctive relief enjoining Microsoft from violating the COPPA Rule in connection with operating the Xbox Live Service or any equivalent or similar game service constitute an effective means to assure Microsoft’s future compliance and deter others who might violate COPPA.” Exhibit B, Case 2:23-cv-00836, Filed 06/05/23 — FTC Matter No. 1923258

“Additionally, entry of the Order will result in the avoidance of the time and expense of litigation.” Exhibit B, Case 2:23-cv-00836, Filed 06/05/23 — FTC Matter No. 1923258

The Damage That $20 Million Cannot Undo

Public Health

Children’s online privacy violations carry documented psychological and developmental harms that extend well beyond the digital record.

• Children whose behavioral and identity data is collected without consent can be subjected to manipulative advertising and algorithmic targeting optimized for engagement, not child wellbeing, during developmentally critical years when impulse control and critical thinking are still forming.
• Data profiles built on children can persist into adolescence and adulthood, following them into college admissions profiling, employment background checks, and insurance risk calculations, with zero transparency to the child or family about what was collected or how it is used.
• The psychological cost of learning that a trusted platform violated your privacy, or your child’s privacy, contributes to a documented erosion of digital trust that disproportionately affects younger users who rely on online spaces for peer connection and identity development.
• COPPA exists precisely because mental health researchers and child development experts testified to Congress that children cannot evaluate privacy tradeoffs the way adults can. Violating COPPA means exploiting that developmental gap.

Economic Inequality

The burden of corporate privacy violations does not fall evenly. Children from lower-income households face structurally greater exposure and fewer protections.

• Families who cannot afford legal representation have no practical recourse when a company like Microsoft violates their children’s privacy. The FTC acts as a stand-in, but as this case demonstrates, the FTC settles rather than litigates, meaning no individual family receives compensation, damages, or even a formal public accounting of what was done.
• The $20 million fine is absorbed by Microsoft as a cost of business. The company generated approximately $198 billion in revenue in fiscal year 2023. A $20 million fine is 0.01% of that figure. There is no economic deterrent here.
• Data collected from children on platforms like Xbox Live is commercially valuable for advertising profiling and product development. Microsoft derived commercial benefit from that data. No portion of the fine is distributed to the families of children whose data was taken.
• Children from households where parents have less time, digital literacy, or English-language access to navigate privacy settings and consent flows are more likely to have had their data collected under conditions of non-compliance. The people least equipped to protect themselves are the ones who needed COPPA the most.

Put the Number in Context

The FTC secured a $20 million civil penalty. Here is what that number actually represents in real-world terms.

Who to Watch and What You Can Actually Do

The settlement is signed. The fine is paid. The question now is whether this pattern continues at Microsoft and across the broader gaming and tech industry.

Key Corporate Roles at Microsoft

• The individuals accountable for COPPA compliance decisions on the Xbox Live platform are not named in Exhibit B. The FTC brought its action against Microsoft Corporation as the defendant entity. The executives responsible for the product and its data practices are listed as [REDACTED – Not in Source].
• Microsoft’s Xbox division leadership and its Chief Privacy Officer held institutional responsibility for ensuring COPPA compliance on the Xbox Live service during the period of violations. Their identities and tenures are [REDACTED – Not in Source].

Watchlist: Regulatory Bodies

• FTC (Federal Trade Commission): The agency that brought this case. Monitor its COPPA enforcement actions at ftc.gov. The FTC has authority to revisit Microsoft’s compliance with the permanent injunction. If Microsoft violates the order, penalties escalate sharply.
• DOJ (Department of Justice): The civil penalty judgment is a federal court order. The DOJ can pursue contempt proceedings if Microsoft violates the permanent injunction.
• State Attorneys General: Several states, including California with the California Consumer Privacy Act, have independent authority to pursue children’s privacy violations beyond the federal COPPA framework.
• Congress: COPPA was written in 1998. The maximum penalty structure has not kept pace with the scale of tech company revenues. Legislators on the Senate Commerce Committee and House Energy and Commerce Committee control whether COPPA gets updated with penalties that actually sting.

Mutual Aid, Organizing, and Resistance

• File a COPPA complaint directly: If you believe a platform collected your child’s data without consent, file a report at reportfraud.ftc.gov. Volume of complaints is one of the few external signals that prompts FTC enforcement action.
• Demand full parental control settings before installation: Before installing any online gaming platform for a child under 13, research whether it has a COPPA-compliant parental consent flow. Demand this from retailers and console manufacturers in writing.
• Support COPPA reform advocacy: Organizations including the Electronic Privacy Information Center (EPIC) and the Electronic Frontier Foundation (EFF) are actively lobbying for stronger children’s privacy laws with penalties tied to revenue, not flat caps. Joining their advocacy lists, donating, or sharing their legislative alerts directly pressures Congress.
• Talk to your local school board: Many schools use Microsoft products. Raise the question of whether your school district’s contracts with Microsoft include enforceable COPPA compliance clauses and independent audit rights. This is a local action with direct leverage.
• Connect with parent-led digital rights groups: Find or form local mutual aid groups focused on digital literacy for parents. The people most harmed by these violations are often the least informed about the laws that were supposed to protect them. Peer-to-peer education is the most effective counter to corporate information asymmetry.