Corporate Misconduct Accountability Project
Microsoft Corporation · Federal enforcement action and civil penalty settlement
Microsoft Illegally Collected Children’s Data for Years Without Consent
The tech giant harvested personal information from millions of kids under 13 through Xbox Live without parental permission, violating federal privacy law for nearly a decade before paying a modest settlement.
HIGH SEVERITY
TL;DR
Microsoft’s Xbox Live service systematically collected personal information including names, email addresses, and birthdates from children under 13 before obtaining parental consent, violating the Children’s Online Privacy Protection Act. The company stored this data for years, even when parents never completed account setup, and shared children’s information with third-party game developers. After nearly a decade of violations affecting millions of children, Microsoft settled with federal regulators for $20 million without admitting wrongdoing.
This case reveals how even the most trusted tech companies prioritize growth over protecting children’s privacy when regulatory enforcement is weak and penalties are minimal.
$20M
Civil penalty paid by Microsoft
10M+
Incomplete Xbox accounts with retained personal data
218K+
U.S. children under 13 who created Xbox accounts (2015-2020)
8 years
Duration of COPPA violations before enforcement
The Allegations: A Breakdown
Core Allegations
What Microsoft did to children’s privacy · 8 points
| 01 | Microsoft collected full names, email addresses, and birthdates from children under 13 during Xbox Live account creation before notifying parents or obtaining their consent. The company even requested phone numbers from kids before involving any parent. | high |
| 02 | The company designed pre-checked boxes in the signup flow that automatically enrolled children in promotional emails and targeted advertising programs by default, allowing kids to subscribe to marketing without parental knowledge. | high |
| 03 | Microsoft failed to inform parents about the full extent of data collection, including that the company would collect and store children’s profile pictures and other images containing their likeness. | high |
| 04 | The company routinely shared children’s personal information including gamertags, unique identifiers, and gameplay data with third-party game developers without proper disclosure to parents. | high |
| 05 | Microsoft retained personal information from approximately 10 million incomplete child accounts indefinitely, storing data for years even when parents never completed the signup process or provided consent. | high |
| 06 | Between 2015 and 2020, over 218,000 U.S. users entered birthdates indicating they were under 13 when creating Xbox accounts, yet Microsoft’s system proceeded to gather additional data from these children before seeking parental involvement. | high |
| 07 | The company held children’s personal data far longer than reasonably necessary to fulfill the purpose for which it was collected, violating data retention requirements under federal law. | medium |
| 08 | Microsoft only made meaningful changes to its Xbox Live signup process in 2019-2021, after federal investigators had already begun examining the company’s practices. | medium |
Regulatory Failures
How weak oversight enabled years of violations · 7 points
| 01 | The Federal Trade Commission allowed Microsoft’s COPPA violations to continue unchecked for nearly eight years, from at least 2015 until enforcement action in 2023, demonstrating a critical gap in regulatory oversight capacity. | high |
| 02 | COPPA’s penalty structure caps fines at $46,517 per violation, creating negotiable settlements that tech giants can easily absorb as a cost of doing business rather than a meaningful deterrent. | high |
| 03 | The settlement allowed Microsoft to neither admit nor deny wrongdoing, enabling the company to avoid accountability while claiming it violated no laws and quickly moving past the scandal. | medium |
| 04 | Budget constraints and limited technological expertise prevent the FTC from proactively monitoring compliance, forcing the agency to rely on complaints and investigations rather than real-time enforcement. | high |
| 05 | COPPA’s framework, enacted in 1998 and updated in 2013, remains fundamentally outdated for modern data collection systems, placing enforcement burdens on individual parents rather than requiring robust corporate safeguards. | medium |
| 06 | The law only protects children under 13, creating a loophole that allows companies like Microsoft to aggressively collect data from teenagers without similar restrictions. | medium |
| 07 | No Microsoft executive or manager faced personal consequences for the violations, as costs were absorbed by the corporation and diffused across shareholders rather than individual decision-makers. | high |
Profit Over People
How Microsoft prioritized growth over children’s safety · 8 points
| 01 | Microsoft designed the Xbox Live signup process to collect maximum data upfront from all users including children, prioritizing user acquisition metrics and ecosystem growth over compliance with child protection laws. | high |
| 02 | The company’s business strategy treated children not as minors requiring protection but as consumers to capture, with each child user representing potential future revenue from game sales, subscriptions, and family ecosystem engagement. | high |
| 03 | Microsoft’s $20 million penalty represents less than a rounding error in the company’s quarterly profits of tens of billions of dollars, making the fine financially immaterial to the tech giant. | high |
| 04 | The company had funds ready in escrow to pay the settlement within seven days of the order, demonstrating that Microsoft treated the penalty as a manageable business expense rather than a meaningful consequence. | medium |
| 05 | Microsoft’s stock price remained unaffected by the settlement, with investors treating the $20 million charge as immaterial and actually viewing the closed case as eliminating regulatory uncertainty. | medium |
| 06 | Corporate executives and the Xbox team likely prioritized hitting user acquisition targets over COPPA compliance, knowing that quarterly growth metrics mattered more to shareholders than potential future regulatory issues. | high |
| 07 | By the time Microsoft faced enforcement, the company had already built a massive user base including millions of children, many converted to lifelong customers in the Xbox ecosystem, making the violations profitable despite the eventual fine. | high |
| 08 | The company leveraged industry norms of self-regulation and minimal real-time oversight, calculating that any legal risk was manageable and that gains from swift user growth outweighed potential penalties. | medium |
Corporate Accountability Failures
How Microsoft avoided real consequences · 6 points
| 01 | Microsoft settled the case on the same day the complaint was filed, quickly agreeing to terms that allowed the company to control the narrative and avoid a protracted trial that could expose additional damaging details. | high |
| 02 | The settlement’s language explicitly states that Microsoft neither admits nor denies the allegations, enabling the company to publicly claim it violated no laws while technically complying with regulatory demands. | high |
| 03 | By implementing COPPA compliance changes in 2019-2021 before the 2023 settlement became public, Microsoft positioned the violations as old news and emphasized improvements already made, deflecting accountability. | medium |
| 04 | The company’s public relations strategy treated the enforcement action as a minor hiccup requiring only a brief press statement and policy update note, with no high-profile executive apology or extensive public outreach. | medium |
| 05 | Microsoft benefited from the slow regulatory process and public’s short memory, knowing that within a year only privacy advocates would recall the details while most Xbox users moved on. | medium |
| 06 | The tech giant avoided any ongoing monitoring requirements or independent audits that could verify sustained compliance, relying instead on self-reporting to demonstrate adherence to the settlement terms. | medium |
Community Impact
The human cost of treating children as data commodities · 6 points
| 01 | Microsoft’s actions exposed personal information of millions of children under 13 to potential security risks, with the FTC explicitly noting that retaining children’s data longer than necessary put it at risk of unauthorized access or misuse. | high |
| 02 | The violations created long-term consequences for children whose full names, emails, and other personal details remain vulnerable to identity theft or targeting by predators if the retained data is breached or misused. | high |
| 03 | Parents who trusted Microsoft as a household name to protect their children’s safety and privacy had that trust betrayed, breeding cynicism about whether any tech company can be relied upon to safeguard kids online. | high |
| 04 | The case normalized the idea that even very young gamers are fair game for corporate data collection, treating children’s privacy as a commodity rather than a fundamental right deserving protection. | medium |
| 05 | Families now face an added burden of constantly policing technology that should have had safeguards built in, as the violations demonstrated that even major corporations compromise children’s information for profit. | medium |
| 06 | Microsoft’s practices undermined children’s developing concept of privacy during formative years, surreptitiously surveilling and recording young users for corporate gain during what should be protected childhood experiences. | medium |
The PR Machine
Microsoft’s damage control playbook · 6 points
| 01 | Microsoft deployed a classic corporate PR strategy: settle quickly, admit nothing legally, point to past improvements, and emphasize cooperation with regulators to control the narrative and minimize lasting reputational damage. | medium |
| 02 | The company’s settlement language allowed Microsoft to claim it violated no laws since there was no formal admission, giving PR teams cover to frame the resolution as a cooperative agreement rather than an enforcement action. | medium |
| 03 | By highlighting that problematic practices ended in 2021 before the 2023 settlement, Microsoft positioned itself as already committed to privacy and portrayed the violations as historical issues rather than ongoing problems. | medium |
| 04 | Microsoft avoided appearing combative with regulators through swift settlement, allowing the company to claim internally and externally that it worked constructively with the government to resolve concerns. | low |
| 05 | The company’s marketing engine continued focusing on positive messages about new game releases and community initiatives, gradually pushing the COPPA violation episode out of the public spotlight. | low |
| 06 | Microsoft relied on short public memory and the absence of follow-up scandals, knowing that most consumers and Xbox users would forget the details within a year while only privacy advocates retained institutional knowledge. | medium |
The Bottom Line
What this case reveals about corporate power · 8 points
| 01 | Microsoft’s COPPA violations demonstrate that when penalties are financially negligible compared to corporate profits, companies treat them as acceptable business expenses rather than meaningful deterrents to misconduct. | high |
| 02 | The case exemplifies how profit-maximizing corporate models view any user data, including children’s, as valuable assets to collect and monetize, with privacy protections seen as obstacles to growth rather than ethical obligations. | high |
| 03 | Eight years of unchecked violations reveal systemic regulatory failure, where underfunded agencies cannot match the pace of tech innovation and corporations exploit gaps between outdated laws and modern data practices. | high |
| 04 | Microsoft’s pattern of pushing legal boundaries until forced to stop, then settling without admission, reflects an industry-wide strategy where companies maximize data collection knowing enforcement is slow and penalties are manageable. | high |
| 05 | The absence of personal consequences for executives and the lack of impact on Microsoft’s stock price signal to corporate leadership that child privacy violations carry no real professional or financial risk. | high |
| 06 | This case joins a global pattern of tech giants treating privacy fines as costs of doing business, whether facing U.S. COPPA enforcement or European GDPR penalties, with violations continuing because financial incentives favor data collection over compliance. | high |
| 07 | Meaningful reform requires fundamental changes including stronger privacy laws, empowered regulators with adequate resources, personal executive liability, and sustained consumer and shareholder pressure demanding ethical corporate behavior. | medium |
| 08 | The Microsoft settlement proves that without penalties proportional to corporate revenues, routine compliance audits, and swift enforcement, protecting children online remains a collective failure of law, regulation, and corporate governance. | high |
Timeline of Events
At least 2015
Microsoft begins collecting personal information from children under 13 through Xbox Live without obtaining verifiable parental consent first, violating COPPA
2015-2020
Over 218,000 U.S. children under 13 create Xbox accounts; approximately 10 million incomplete accounts with personal data retained indefinitely
Before 2019
Xbox signup includes pre-checked boxes that automatically enroll children in promotional emails and targeted advertising without parental knowledge
2019-2021
Microsoft implements changes to Xbox Live signup process to improve COPPA compliance, likely under pressure of federal investigation
Before April 2021
Microsoft’s parental notices fail to disclose complete information about what data would be collected from children and how it would be used
June 5, 2023
U.S. Department of Justice files complaint on behalf of FTC; Microsoft settles same day for $20 million without admitting wrongdoing
June 9, 2023
Federal court enters stipulated order for permanent injunction and civil penalty judgment against Microsoft
Direct Quotes from the Legal Record
QUOTE 1
Collecting data before parental consent
allegations
“The Complaint charges that Defendant violated the COPPA Rule and Section 5 of the FTC Act, 15 U.S.C. § 45, by failing to provide complete direct notice to Parents, failing to provide complete online notice of its information practices with regard to Children, failing to Obtain Verifiable Parental Consent before Collecting, using, or Disclosing Personal Information from Children, and retaining Personal Information Collected online from Children for longer than reasonably necessary.”
💡 This core allegation establishes that Microsoft systematically violated multiple COPPA requirements designed to protect children’s privacy.
QUOTE 2
What data Microsoft collected from kids
allegations
“Microsoft’s account set-up process for the Xbox Live Service asked Children to provide their full name, email address, and date of birth, and prompted them to provide their phone number before Microsoft notified Parents or obtained Verifiable Parental Consent.”
💡 Microsoft deliberately designed its signup to harvest extensive personal information from children before any parental involvement.
QUOTE 3
Incomplete parental notice
allegations
“Microsoft did not fully inform Parents about what Personal Information Microsoft had Collected from their Children and how Microsoft would use that information, and it failed to disclose that it would share some of that information with Third Parties.”
💡 Even when Microsoft did involve parents, the company concealed the full scope of data collection and sharing with outside parties.
QUOTE 4
Indefinite data retention
allegations
“Microsoft stored the Personal Information of Children who began the account creation process for years, even if a Parent never completed the process.”
💡 Microsoft retained children’s data indefinitely without consent, creating ongoing privacy and security risks for millions of kids.
QUOTE 5
Scale of incomplete accounts
allegations
“From 2015 to 2020, around 10 million individuals began creating accounts but never completed the account creation process, and Microsoft retained the Personal Information of all these users indefinitely.”
💡 This demonstrates the massive scale of Microsoft’s unauthorized data retention affecting millions of users including children.
QUOTE 6
Known child users
allegations
“During a five-year period, approximately 218,000 U.S.-based users provided dates of birth that indicated that they were Children when creating accounts through the Xbox Live Service.”
💡 Microsoft had clear knowledge that hundreds of thousands of users were children under 13, yet continued collecting data without proper consent.
QUOTE 7
Pre-checked marketing boxes
profit
“Before approximately mid-2019, as part of its account sign-up process, Microsoft included checkboxes that were pre-selected by default that resulted in the user, including Children, being automatically opted in to receiving promotional emails and to allow Microsoft to use their Personal Information for targeted advertising.”
💡 Microsoft designed the system to automatically enroll children in marketing programs for corporate profit without parental knowledge.
QUOTE 8
Sharing with game developers
allegations
“Microsoft routinely Released Personal Information from Children to game publishers offering games through the Xbox Live Service without disclosing to Parents that it would do so.”
💡 The company shared children’s data with third parties while concealing this practice from parents who might have withheld consent.
QUOTE 9
Excessive data retention
accountability
“Defendant must Delete all Personal Information Defendant Collected from Children through Child Microsoft Accounts for which Defendant has not, by that date, Obtained Verifiable Parental Consent.”
💡 The settlement order confirms Microsoft held children’s data without consent and must now delete it, acknowledging the violation.
QUOTE 10
No admission of wrongdoing
accountability
“Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendant admits the facts necessary to establish jurisdiction.”
💡 This language allowed Microsoft to settle without admitting guilt, enabling PR claims that it violated no laws.
QUOTE 11
Modest penalty for tech giant
profit
“Judgment in the amount of twenty million dollars ($20,000,000) is entered in favor of Plaintiff against Defendant, as a civil penalty.”
💡 The $20 million penalty is financially immaterial to Microsoft, representing a tiny fraction of quarterly profits and failing to deter future violations.
QUOTE 12
Data security risks
community
“Retaining Personal Information Collected from a Child for longer than is reasonably necessary to fulfill the purpose for which the information was Collected.”
💡 Excessive retention put children’s data at greater risk of breaches and unauthorized access with no legitimate business justification.
QUOTE 13
Required deletion timeline
accountability
“Within thirty (30) days of entry of this Order, establish and implement, and thereafter maintain, a system to Delete, within two (2) weeks from the date of Collection, all Personal Information Defendant has Collected from Children for purposes of Obtaining Verifiable Parental Consent, unless the Parent provides Verifiable Parental Consent.”
💡 This requirement proves Microsoft previously retained consent-seeking data indefinitely, far beyond what was necessary.
QUOTE 14
Notifying game publishers of child users
accountability
“Defendant, within one hundred and twenty (120) days of entry of this Order, in connection with operating a Covered Service, must, at each instance when Disclosing Personal Information from a Child Microsoft Account to any video game publisher on such service, indicate to such party (such as through an API) that the user is a child under age 13.”
💡 This new requirement shows Microsoft previously shared children’s data with game publishers without flagging that the users were minors.
QUOTE 15
Compliance reporting burden
accountability
“Within one (1) year and one month of the Account Suspension Date, provide a written statement to the Commission, sworn under penalty of perjury, that (1) describes the process through which Defendant Obtained Verifiable Parental Consent from Parents to Collect, use, and retain Personal Information Collected from each Child Microsoft Account; (2) identifies the total number of Child Microsoft Accounts for which Defendant sought to Obtain Verifiable Parental Consent.”
💡 The extensive compliance reporting requirements demonstrate the severity of Microsoft’s systematic violations and the need for ongoing oversight.
Frequently Asked Questions
What exactly did Microsoft do wrong?
Microsoft collected personal information including names, email addresses, birthdates, and phone numbers from children under 13 through Xbox Live before getting parental permission, violating federal law. The company kept this data for years, shared it with game developers, and failed to properly inform parents about what was being collected or how it would be used.
How many children were affected?
Between 2015 and 2020, over 218,000 U.S. children under 13 created Xbox accounts. Additionally, Microsoft retained personal information from approximately 10 million incomplete accounts indefinitely, many of which likely belonged to children who never finished the signup process.
How long did these violations continue?
Microsoft violated the Children’s Online Privacy Protection Act for at least eight years, from 2015 until the settlement in 2023. The company only made meaningful changes to its practices in 2019-2021, likely after federal investigators began examining its conduct.
What penalty did Microsoft face?
Microsoft agreed to pay a $20 million civil penalty and implement changes to its data practices. However, the company neither admitted nor denied wrongdoing, and the fine represents less than a fraction of one percent of Microsoft’s quarterly profits, making it financially insignificant to the tech giant.
Why is a $20 million fine considered inadequate?
Microsoft reports tens of billions of dollars in profit every quarter. The $20 million penalty is so small compared to the company’s revenue that it functions more like a minor business expense than a meaningful punishment. This creates an incentive for companies to violate privacy laws if the potential profits exceed the likely fine.
What happens to the data Microsoft already collected?
Under the settlement, Microsoft must seek parental consent for existing child accounts and delete all personal information from children whose parents don’t provide consent within the specified timeframe. The company must also establish systems to delete data collected for consent purposes within two weeks if parents don’t respond.
Did any Microsoft executives face consequences?
No. The settlement holds the corporation accountable but no individual Microsoft manager or executive faced personal legal or financial repercussions for the violations. The costs were absorbed by the company and its shareholders, not by the people who made the decisions that led to the privacy violations.
How did Microsoft respond to the allegations?
Microsoft settled the case on the same day the complaint was filed without admitting any wrongdoing. The company emphasized that it had already made changes to its practices before the settlement and positioned itself as cooperating with regulators. This PR strategy allowed Microsoft to move past the issue quickly with minimal lasting damage to its reputation.
What changes must Microsoft make going forward?
Microsoft must obtain parental consent before collecting children’s data, provide clear notices about what information is collected and how it’s used, delete data when consent isn’t obtained, notify game publishers when users are under 13, maintain data retention schedules, and submit regular compliance reports to the FTC.
What can parents do to protect their children’s privacy?
Parents should create child accounts through proper family settings, regularly review privacy controls on gaming platforms, ask companies directly about their data practices, support stronger privacy laws by contacting elected representatives, and consider whether to allow children on platforms with poor privacy track records. Parents can also file complaints with the FTC if they discover companies violating children’s privacy.
The Federal Trade Commission has a press release about this: https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information
You can also read a Reuter’s article about it too: https://www.reuters.com/technology/microsoft-pay-20-mln-settle-charges-it-collected-childrens-information-2023-06-05/
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
