Microsoft will pay $20m (£16m) to US federal regulators after it was found to have illegally collected data on children who had started Xbox accounts.
The Federal Trade Commission (FTC) reached a settlement with the company on Monday, which also includes increased protections for child gamers.
Among other violations, the FTC found that Microsoft failed to inform parents about its data collection policies.
It follows a similar action against Amazon last week over its Echo devices.
The FTC said Microsoft violated the Children's Online Privacy Protection Act by not properly getting parental consent and by retaining personal data on children under 13 for longer than necessary for accounts created before 2021.
The law requires online services and websites directed towards children to obtain a parent's consent and to inform the parent about personal data being collected about their child.
Xbox users must create an account to use certain services. Information such as full name, email address and date of birth are collected as part of the set up.
Not until after obtaining personal information, such as the child's phone number, did Microsoft ask for a parent to provide permission.
From 2015 to 2020 Microsoft retained data "sometimes for years" from the account set up, even when a parent failed to complete the process, the FTC said in a statement.
The company also failed to inform parents about all the data it was collecting, including the user's profile picture and that data was being distributed to third parties.
"Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures," Microsoft's Dave McCarthy, CVP of Xbox Player Services, wrote in an Xbox blog post.
"We believe that we can and should do more, and we'll remain steadfast in our commitment to safety, privacy, and security for our community."
As part of the settlement, Microsoft must also institute new safety protections for children. That includes maintaining a system to delete all personal data after two weeks if no parental consent is obtained.
The order must be approved by a federal judge before it can go into effect.
Last week, Amazon agreed to pay $25m after the FTC found that it had retained sensitive data, including voice recordings of children, for years.
Amazon's doorbell camera unit Ring also agreed to pay out $5.8m after giving employees unrestricted access to customers' data.
Latest Stories
-
IMANI Africa takes on EC, accuses it of lying and publishing half truths
10 mins -
Manasseh Azure calls for investigation and prosecution of those responsible for GRA/SML contract
20 mins -
Kwesi Atuahene: Ghana’s health capital depends on HealthTech – Africa Center for Digital Transformation
43 mins -
13 signs your wife is planning on leaving you and you have no idea
48 mins -
IMANI Africa: Ghana’s EC’s dangerous and pathological conduct
1 hour -
If I speak there will be fire – Salah on Klopp row
2 hours -
Grieving after divorce is normal, but this particular kind of grief isn’t
2 hours -
10 beautifully unexpected ways husbands proposed to their wives
2 hours -
Reality zone with Vicky Wireko: Painting Ghana purple: Be aware, May is month of mental health awareness
2 hours -
Prof Opoku-Agyemang’s integrity is admirable – Inusah Fuseini
2 hours -
Your reign has been a beacon of wisdom – Alan Kyerematen tells Asantehene
2 hours -
Akufo-Addo’s driver wins La Dadekotopon NPP primary
2 hours -
Education Minister must channel resources to rebrand basic public schools into tackling critical needs – Minority
2 hours -
CAFCC: “Dreams need to score early to unsettle Zamalek” – Former Zamalek striker Felix Aboagye
4 hours -
GHS launches mobile app to counter misinformation about vaccines
4 hours