What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://account.microsoft.com/family', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Sign in to your Microsoft account and navigate to Microsoft Family Safety at account.microsoft.com/family to review your child's account, manage permissions, and request deletion of their personal data.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC enforces COPPA, which governs the collection of personal data from children under 13 by online services.', 'full_name': 'Federal Trade Commission (FTC)', 'description': 'Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.', 'who_can_file': "Anyone affected by the company's practices (US or international)", 'complaint_url': 'https://reportfraud.ftc.gov/', 'what_you_need': 'Your account details, a timeline of relevant events, and a description of the specific issue', 'what_to_expect': 'Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation'}, {'agency': 'DOE', 'reason': 'Where Microsoft 365 Education is used in schools, FERPA applies to student data and the Department of Education has oversight.', 'full_name': 'Department of Education (DOE)', 'description': 'Enforces the Family Educational Rights and Privacy Act (FERPA), which protects student education records. Can investigate violations of student data privacy rights.', 'who_can_file': 'Students (or parents of minor students) whose FERPA rights may have been violated by an educational institution that receives federal funding', 'complaint_url': 'https://studentprivacy.ed.gov/file-a-complaint', 'what_you_need': 'Name of the institution, description of the FERPA violation, relevant dates, and documentation showing the violation if available', 'what_to_expect': 'The DOE Family Policy Compliance Office reviews complaints and may investigate. Resolution typically involves the institution correcting its practices. Filing must be within 180 days of the alleged violation.'}

What is the severity of this clause?

ConductAtlas classifies this Children's Privacy and Parental Consent clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Children's Privacy and Parental Consent clauses across approximately 3 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Children's Privacy and Parental Consent — Microsoft

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Microsoft Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Microsoft requires parental consent before collecting personal data from children under 13 (or the applicable age of digital consent in other countries), and provides parents with tools to review and delete their child's data.

ⓘ

This analysis describes what Microsoft's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

If your child uses Microsoft services such as Xbox, Minecraft, or Microsoft 365 Education, their personal data is being collected and you have the right to review, correct, or delete it.

Recent Activity

This document changed recently

Medium Apr 19, 2026

The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.

View change record →

Medium Apr 1, 2026

The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, protecting system and customer safety, and resolving disputes. Previously, the policy articulated specific criteria for determining retention periods, including customer expectations for retention until manual deletion, availability of automated deletion controls, and data sensitivity. The revised language removes these granular criteria and instead requires users to consult individual product documentation to understand when their specific data will be deleted. This shifts the burden of finding retention timelines from the main policy statement to separate product-specific documents.

View change record →

Medium Mar 13, 2026

The updated Privacy Statement removes previously stated language about additional rights available to European Economic Area users, narrowing the policy's explicit protections in that region. Simultaneously, the revised terms now explicitly authorize Microsoft to contact users via auto-dialer and prerecorded voice for marketing purposes, provided the user has consented to receive marketing communications to the phone number supplied. This establishes Microsoft's contractual permission to initiate automated marketing calls using artificial intelligence-generated voice technology where user consent to marketing contact has been given.

View change record →

Consumer impact (what this means for users)

Microsoft collects extensive personal data — including location, voice recordings, typed content, browsing history, and health-related data — across its entire product ecosystem, and uses this data for personalised advertising, product improvement, and AI model training. Data may be shared with third-party partners, advertisers, and other Microsoft-affiliated companies, and some data may be retained even after account deletion. You can review, download, or delete your personal data by visiting account.microsoft.com/privacy and adjusting settings via the Microsoft Privacy Dashboard.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Sign in to your Microsoft account and navigate to Microsoft Family Safety at account.microsoft.com/family to review your child's account, manage permissions, and request deletion of their personal data.

Cross-platform context

See how other platforms handle Children's Privacy and Parental Consent and similar clauses.

Compare across platforms →

Monitoring

Microsoft has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

Microsoft's children's data provisions engage COPPA (US), GDPR Art. 8 (EEA), and the UK Children's Code; education sector deployments via Microsoft 365 Education also trigger FERPA obligations, and institutional buyers should verify age-gate and consent mechanisms in enterprise deployments.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

Federal Trade Commission (ftc)

Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.

Who can file: Anyone affected by the company's practices (US or international)

What you need: Your account details, a timeline of relevant events, and a description of the specific issue

What to expect: Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation

File a complaint →
Department Of Education (doe)

Enforces the Family Educational Rights and Privacy Act (FERPA), which protects student education records. Can investigate violations of student data privacy rights.

Who can file: Students (or parents of minor students) whose FERPA rights may have been violated by an educational institution that receives federal funding

What you need: Name of the institution, description of the FERPA violation, relevant dates, and documentation showing the violation if available

What to expect: The DOE Family Policy Compliance Office reviews complaints and may investigate. Resolution typically involves the institution correcting its practices. Filing must be within 180 days of the alleged violation.

File a complaint →

Provision details

Document information

Document

Microsoft Privacy Statement (Legacy)

Entity

Microsoft

Document last updated

March 5, 2026

Tracking information

First tracked

March 6, 2026

Last verified

March 9, 2026

Record ID

CA-P-00001003

Document ID

CA-D-00001

Evidence Provenance

Source URL

https://www.microsoft.com/en-us/privacy/privacystatement

Wayback Machine

View archived versions →

Content hash (SHA-256)

b3c85aa6a19fc8ce1bad351ae60d82fbee162cdf439701bea9f0007ce7de8bc0

Analysis generated

March 6, 2026 20:13 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Microsoft
Document: Microsoft Privacy Statement (Legacy)
Record ID: CA-P-00001003
Captured: 2026-03-06 20:13:02 UTC
SHA-256: b3c85aa6a19fc8ce…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/childrens-privacy-and-parental-consent/
Accessed: June 10, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

High

Other risks in this policy

AI and Copilot Data Use high
Targeted Advertising Using Personal Data medium
Collection of Health and Biometric Data high
Data Retention After Account Deletion medium
Cross-Product and Third-Party Data Sharing high
Diagnostic and Telemetry Data Collection (Windows) medium

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Microsoft's Children's Privacy and Parental Consent clause do?

If your child uses Microsoft services such as Xbox, Minecraft, or Microsoft 365 Education, their personal data is being collected and you have the right to review, correct, or delete it.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.

Is ConductAtlas affiliated with Microsoft?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.