Microsoft will pay $20 million (€18.7m) to settle US charges that it collected personal information from children without their parents' consent.
The Federal Trade Commission (FTC) alleged that from 2015 to 2020 the firm gathered data from children aged under 13 who signed up to its Xbox gaming system without their parents' permission and retained this information.
To open an account, users had to provide their first and last names, an email address, and date of birth.
The FTC said Microsoft violated the Children's Online Privacy Protection Act (COPPA).
The company retained the data that it collected from children during account creation, even when a parent failed to complete the process, according to the complaint.
"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," said Samuel Levine, head of the FTC's Bureau of Consumer Protection.
"This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA," Mr Levine added.
The decision still needs the approval of a federal court before it can be implemented.
The FTC said Microsoft will be required to take several steps to bolster privacy protections for child users of its Xbox system.
Under the act, online services and websites aimed at kids under 13 must notify parents about the personal information they collect and obtain verifiable parental consent before collecting and using any personal information collected from children.
A spokesperson for Microsoft said it is committed to complying with the order, adding that its account creation process will be updated and a data retention glitch found in its system will be fixed.
