Introducing Microsoft account age-related features for GDPR

Howdy folks,

Today, I’m pleased to announce the rollout of recently redesigned and improved parental consent capabilities to our Microsoft account users in the European Union. This is an important step in giving our users the capabilities that are defined in the General Data Privacy Regulations (GDPR).

At Microsoft, we firmly believe that children are an important part of our user ecosystem, whether they’re playing Minecraft, chatting with their grandparents on Skype, or watching Peppa Pig on a Surface Book. We also believe it’s important that parents and guardians have suitable safeguards available. That’s why Microsoft has a long standing commitment to COPPA and similar regulations across the globe.

GDPR requires parents to provide their consent to process the personal data of children younger than 16 years old. EU member states may choose to set a lower age – which some have done – provided it isn’t lower than age 13. The U.S. Children’s Online Privacy Protection Act (COPPA) and GDPR have a lot of overlap, so we have worked to combine and meet the stricter standards across the board.

To meet this requirement, our systems need to know which Microsoft account users are adults and which are not, using a method which is acceptable under the various legislative requirements.

We will do this by assuring we have a date of birth for all covered accounts. For anyone who has not provided this information, we are now starting to prompt them to provide their country and date of birth. Then, users who are younger than the age of consent for their country are prompted for parental consent when they sign into their account. (Note that they are given a short grace period to allow parents time to complete the verification process.)

To provide consent to their child’s account, parents can prove they are an adult by using a credit card. We also offer alternative age verification methods for parents who don’t have, or don’t want to use their credit card. Parents can contact Microsoft Customer Service and Support to verify age and identity based on appropriate government documents. After the grace period, access to the child’s account will be blocked until the parent completes the consent and verification process.

We realize that completing parental consent may be time consuming. As with many of our counterparts across the industry, we rely on the use of a credit card charge to verify that the user is an adult. The use of a credit card is one of regulatory approved mechanisms for proving adulthood. We have a long-standing commitment to work in the standards industry identity solutions that allow a parent to verify their identity in a secure, private and consistent way across the globe.

We have been closely monitoring the rollout and have been diligently investigating issues as they are raised. One of the trends we have seen is around adults who are being asked to provide parental consent. In all cases we have been able to track this back to the user, who are intentionally or mistakenly, entering a date of birth that classifies them as a minor. We are adding several mechanisms to help in this situation but unfortunately it does force us to verify the user is not a child. We will continue to study ways of improving this experience. Of course, our goal is to enable all users to give us their correct date of birth with as little friction as possible.

I hope you’ll take some time to check this new feature out as we continue to refine and improve our scenarios that support parents keeping their children safe online.

As always, we would love to receive any feedback or suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division