Microsoft will have to pay $20 million to settle allegations by the US Federal Trade Commission (FTC) that it violated the Children’s Online Privacy Protection Act (COPPA). This was reported by Engadget.

The company was accused of collecting information about underage Xbox users and storing their data without parental consent. To be able to play Xbox games and use services such as Xbox Live, users must register an account and provide their full name, email address, and place of birth.

Until 2021, users were also asked to provide a phone number and agree to the tech giant’s advertising policy. The FTC found that Microsoft only asked users under 13 for their parents to complete account creation after they had already provided personal information. From 2015 to 2020, Microsoft apparently collected and stored the data of underage users, even if their parents did not complete the sign-up process.

The FTC also added that Microsoft combines the player tag with a unique, persistent identifier that it can share with third parties, even for accounts owned by underage users.

Xbox Player Services VP Dave McCarthy said Microsoft did not intentionally keep children’s accounts that were not filled out by their parents. According to him, the company discovered a technical glitch that caused the data to be saved, but after the problem was fixed, the children’s data was deleted. He assured that this information was never used.

Microsoft will also be required to change the account creation process for underage users. The company has already updated it to first ask for a user’s date of birth and, if necessary, ask for parental consent before asking for personally identifiable information. It will also ask users under 13 who created an account before May 2021 to have their parents re-verify the account in the following months.

The FTC is demanding that Microsoft create a system that would delete all children’s personal information within two weeks if their parents don’t complete the account creation. She also wants the company to notify video game publishers if personal information belongs to a child.

Microsoft Edge was previously caught giving Bing data about sites visited by users. This is caused by a poor implementation of a new feature in the browser.