Microsoft requires parental consent before collecting personal data from children under 13, and child accounts must be created with parent or guardian authorization. The Microsoft Family Safety product provides parental controls over children's digital activity on Microsoft platforms.
This analysis describes what Microsoft's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The statement establishes that children under 13 are subject to parental consent requirements before data collection occurs, which is relevant to families using Microsoft products and to compliance with COPPA and comparable international children's privacy laws.
The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.
View change record →The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, protecting system and customer safety, and resolving disputes. Previously, the policy articulated specific criteria for determining retention periods, including customer expectations for retention until manual deletion, availability of automated deletion controls, and data sensitivity. The revised language removes these granular criteria and instead requires users to consult individual product documentation to understand when their specific data will be deleted. This shifts the burden of finding retention timelines from the main policy statement to separate product-specific documents.
View change record →The updated Privacy Statement removes previously stated language about additional rights available to European Economic Area users, narrowing the policy's explicit protections in that region. Simultaneously, the revised terms now explicitly authorize Microsoft to contact users via auto-dialer and prerecorded voice for marketing purposes, provided the user has consented to receive marketing communications to the phone number supplied. This establishes Microsoft's contractual permission to initiate automated marketing calls using artificial intelligence-generated voice technology where user consent to marketing contact has been given.
View change record →Parents should be aware that child accounts on Microsoft platforms require parental consent for data collection, and that Microsoft Family Safety tools are available to manage and monitor children's activity. Parents can review and manage their child's account settings through the Microsoft Family dashboard.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Microsoft has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Microsoft products are not intended for use by children below the age of 13. For children under 13 years old, Microsoft obtains verifiable parental consent before collecting personal data. Where a Microsoft account is created for a child under 13 (or the applicable age in the child's country/region), a parent or guardian must provide consent. Microsoft Family Safety features allow parents to manage their child's digital experiences.— Excerpt from Microsoft's Microsoft Privacy Statement (Legacy)
REGULATORY LANDSCAPE: This provision directly implicates COPPA in the United States, enforced by the FTC, which requires verifiable parental consent before collecting personal data from children under 13. Internationally, the GDPR's special provisions for children's data (including national age variations within the EU ranging from 13 to 16 for consent) and the UK ICO's Age Appropriate Design Code are relevant. The statement's reference to age varying by country/region reflects awareness of these varying thresholds. GOVERNANCE EXPOSURE: High. COPPA violations carry significant FTC enforcement risk. The statement's reference to verifiable parental consent is a COPPA requirement but compliance depends on the adequacy of Microsoft's age verification and consent collection mechanisms, which are not described in detail in the statement. JURISDICTION FLAGS: Age of consent thresholds vary across EU member states under GDPR, creating jurisdiction-specific compliance requirements. The UK Age Appropriate Design Code imposes additional design and data minimization obligations for services likely to be accessed by children. California's AADC-equivalent legislation may also apply. CONTRACT AND VENDOR IMPLICATIONS: Organizations deploying Microsoft products in educational or family contexts should assess whether their use of Microsoft services is consistent with COPPA and applicable state children's privacy laws, including FERPA for educational settings. COMPLIANCE CONSIDERATIONS: Compliance teams should review the adequacy of age verification mechanisms for child accounts; assess whether parental consent collection meets COPPA's verifiable consent standard; and evaluate whether children's data processing practices comply with the UK Age Appropriate Design Code and applicable EU national law provisions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The statement establishes that children under 13 are subject to parental consent requirements before data collection occurs, which is relevant to families using Microsoft products and to compliance with COPPA and comparable international children's privacy laws.
Parents should be aware that child accounts on Microsoft platforms require parental consent for data collection, and that Microsoft Family Safety tools are available to manage and monitor children's activity. Parents can review and manage their child's account settings through the Microsoft Family dashboard.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.