Privacy groups claim Microsoft’s Kids Passport is a ticket for trouble

Some privacy and consumer advocates allege that a new Microsoft service, which is intended to help parents control the information their children give out online, actually is misleading and fails to comply with a federal law aimed at protecting children’s online privacy. They have asked the Federal Trade Commission (FTC) to investigate.

Microsoft denies the allegations and responds that some of the groups’ complaints basically amount to nit-picking.

The Electronic Privacy Information Center, along with the Center for Media Education and 11 other organizations, filed supplemental materials in support of a pending complaint with the FTC Aug. 15.

The law in question is the Children’s Online Privacy Protection Act (COPPA). It prohibits unfair or deceptive marketing practices and requires web sites aimed at kids to display prominently a detailed and easy-to-read privacy policy.

COPPA also requires web sites to obtain “verifiable parental consent” before collecting, using, or disclosing any personal information, such as names or addresses, from children under 13.

“We’re calling on the Federal Trade Commission to confirm whether the Microsoft Kids Passport complies with COPPA,” said Gabriela Schneider, senior policy analyst at the Center for Media Education.

Kids Passport is a version of Microsoft’s Passport technology, an online service that lets users create a single profile—including username, password, and other information—that can be used on all participating web sites. The service’s goal is to make web-surfing and internet shopping easy for consumers.

According to the Microsoft Passport web site, “Kids Passport helps protect and control online privacy for children by obtaining parental consent to collect or disclose a child’s personal information” from one convenient, centralized location.

Parents can use Kids Passport as a tool to permit participating web sites—such as or—to collect or disclose personally identifying information about their children.

When a child tries to sign on to a web site that requires personally identifying information, the child can ask a parent or guardian for permission by sending an electronic request through Kids Passport. The parent or guardian reviews the request and can grant a specific level of consent or deny consent altogether.

Microsoft’s Kids Passport appears to meet most of COPPA’s requirements, but privacy advocates and education organizations are concerned it doesn’t meet them all.

“Microsoft is promoting its Kids Passport to parents as a service that will protect their kids’ privacy, when in fact it doesn’t appear to comply with the law,” Schneider said. “It’s misleading to parents.”

The Kids Passport privacy policy says, “It is important for you to read the Privacy Statement and Terms of Use for each web site you are consenting for your child to visit and use.”

But under COPPA, Schneider said, “there should be one [privacy] policy that outlines all of the details” if there is a single form that allows parents to sign their consent.

With Kids Passport, parents need to read the individual privacy policy of each web site their kids visit. The Microsoft service “puts the burden on parents to see if the web sites have changed their policy,” Schneider said.

A Microsoft representative told eSchool News, “Kids Passport is only a mechanism to help parents with parental control. Should Kids Passport be the one to govern the privacy policies of all these sites? Microsoft never positioned it to be that.”

In addition, the complaining organizations say Microsoft should do more to draw attention to its own privacy policy, as mandated by COPPA.

COPPA requires kids’ web sites to place a link to their privacy policy clearly and prominently on the page. The rules state that the link should be different in color and have a larger font than surrounding text.

Currently, the link to the privacy policy on Microsoft’s Kids Passport has the same positioning, color, and font size as surrounding text.

“They are disregarding the law, and that’s pretty egregious,” Schneider contended. “The law was passed to protect children under 13, and they are not complying with that law.”

“I would argue that the privacy policy is very prominent,” countered the Microsoft representative. The groups’ arguments “are really far-fetched. They’re really digging.”

Microsoft Passport is not mandatory for users, but it is one of the foundation services of the Microsoft .NET initiative, which aims in the future to offer personalized experiences to users anytime, anywhere, from any device.

Currently, the Microsoft Kids Passport requires a child’s birth date, sign-in name, password, password-reset question, eMail address, country, state, and region. Microsoft stores the personal information on its secure server.

According to the Microsoft Kids Passport privacy policy, Microsoft intends to use this information to provide a personalized experience for the user. Also, it’s up to the parent to decide if a child should receive eMail advertisements.

Parents can choose how much of their child’s personal information Microsoft can share with Passport-participating web sites.

“Microsoft is saying, ‘Sign up here for your child if you would like to have full, medium, or all information collected on the child,'” Schneider said.

The Center for Media Education and other privacy groups want the FTC, and Microsoft, to review Microsoft’s policies and practices to see if they comply with COPPA.

“The law is only as effective as its enforcement,” Schneider said. If the FTC does not investigate this, it would set a dangerous precedent that might undermine the goal of protecting children’s privacy in the online environment, she added.


Center for Media Education

Microsoft Kids Passport

Microsoft Passport

Microsoft Passport Privacy Policy

eSchool News Staff

Want to share a great resource? Let us know at