Following allegations that Microsoft unlawfully gathered personal information from children without parental consent, the company has reached a settlement of $20 million with the U.S. Federal Trade Commission.

The FTC accused Microsoft of violating the Children’s Online Privacy Protection Act, which mandates that companies must inform parents about the data they collect from children under 13, obtain parental consent, and delete the data when it is no longer needed.

In this case, when children registered for Microsoft’s Xbox service, they were requested to provide personal details such as their first and last name, email address, and date of birth.

Microsoft was found to have violated the Children’s Online Privacy Protection Act (COPPA), a federal law that governs online privacy protections for children under 13.

The Federal Trade Commission (FTC) stated that Microsoft failed to inform parents about data collection, obtain parental consent, and delete unnecessary data.

According to the FTC, children signing up for Microsoft’s Xbox gaming service were required to provide personal information such as name, email address, phone number, and date of birth.

Until 2019, there was a pre-filled checkbox allowing Microsoft to share user information with advertisers.

The FTC further revealed that Microsoft collected this data before parental consent was obtained and retained children’s data even if the parent did not complete the account setup.

Lesley Fair, a senior attorney with the FTC’s Bureau of Consumer Protection, explains, “The notice didn’t inform parents that Microsoft would collect additional personal information, such as kids’ photos, their Xbox User IDs, and other data combined with that ID.“

In response to the settlement, a Microsoft spokesperson told NBC, representing the owner of the Xbox video game consoles, stated, “The company is committed to complying with the order.”

The settlement, announced on Monday evening, is subject to approval by a federal court before it becomes effective.

Xbox promotes the creation of Microsoft “gamertag” accounts for online gaming, which includes players of all ages, including children.

During the sign-up process, Microsoft collects information such as email addresses, first and last names, and birthdays from players.