Microsoft continues on its steady path toward compliance with the European Union (EU) General Data Protection Regulation (GDPR). Today we are announcing new parental consent requirements for accounts held by children in the EU. We are instituting these requirements across our product platforms to meet GDPR requirements, well in advance of the May 25 deadline, to afford our customers the time needed to verify their accounts and authorize any necessary consent.
Where a controller is relying on consent to process personal data, the GDPR requires parents to provide their consent to process personal data of children younger than 16 years old. EU member states may choose to set a lower age – which some have done – provided it isn’t lower than age 13. At this time EU regulators have not provided definitive guidance on how to verify parental consent. To implement parental consent requirement in the GDPR, Microsoft is relying on the high standards afforded under the U.S. Children’s Online Privacy Protection Act (COPPA) to verify parental consent for children’s accounts across our product platforms. We have already started to roll out the necessary notifications to our users in many EU member states. We will complete the rollout by the end of April.
Using COPPA processes, we will prompt existing users to provide their country and date of birth. Users who are younger than the age of consent for their country will then be prompted for parental consent when they sign into their account during a short grace period. To verify their child’s account, parents will need to use a credit card or a debit card with a card verification value (cvv) for a 50-cent charge which will be credited toward an existing Microsoft account. This nominal charge also offers parents an extra step of protection to be aware of any misuse when reviewing their card statement. Parents who cannot, or choose not, to go through this process can also contact Microsoft Customer Service and Support to verify age and identity based on appropriate government documents.
After the grace period, the child’s account will be blocked until the parent completes the consent and verification process. Microsoft will continue to support data subject rights for children whose accounts are blocked pending parental consent. For new users, Microsoft will block final creation of the account until the parent provides consent within two weeks, after which the account will be deleted.
While we appreciate these new GDPR requirements may cause some temporary inconveniences, verifying that an adult is giving their child permission to use an account is an important component of Microsoft’s effort to help children explore technology safely. We also encourage parents to use this as an opportunity to review their child’s account content, screen time and monitoring settings by visiting account.microsoft.com/family.