Microsoft revised its data retention policy language on April 1, 2026. Previously, the policy outlined specific retention criteria including whether customers expected data retention until deletion, whether automated deletion controls existed, and whether data was sensitive in type. The updated terms consolidate retention rationale into a broader set of purposes: operating the business, meeting contractual and legal obligations, improving products and services, protecting system and customer safety, and resolving disputes. The policy now directs users to product documentation for specific retention periods rather than describing retention criteria in the main policy.
The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, protecting system and customer safety, and resolving disputes. Previously, the policy articulated specific criteria for determining retention periods, including customer expectations for retention until manual deletion, availability of automated deletion controls, and data sensitivity. The revised language removes these granular criteria and instead requires users to consult individual product documentation to understand when their specific data will be deleted. This shifts the burden of finding retention timelines from the main policy statement to separate product-specific documents.
The updated terms consolidate retention rationale into five broad business purposes but move specific retention period specifications from the main privacy statement to product-level documentation. This restructuring means that users and compliance teams must now consult multiple product documents rather than a single consolidated retention criteria statement to understand how long Microsoft will keep their data. The change does not appear to alter Microsoft's underlying retention practices, but it affects how retention commitments are disclosed and discovered.
→ Review the product-specific documentation for each Microsoft service you use to determine retention periods for your data.
→ If you rely on documented retention timelines for personal data management planning, confirm those timelines remain unchanged in the product documentation.
→ Data retention periods will apply as specified in individual product documentation rather than as stated in the consolidated privacy statement.
→ If you do not review product-specific documentation, you may be unaware of retention timelines for data in specific services like OneDrive, Outlook, or other Microsoft products.
This is the 2nd significant Transparency Removal change Microsoft has made since ConductAtlas began monitoring.
ConductAtlas has recorded 3 material changes to this document (since March 2026). An additional minor or cosmetic changes were excluded.
3 of Microsoft's significant changes have been classified as negative for consumers.
Removed explicit criteria (customer expectations, automated controls, data sensitivity) and replaced with five broad business purposes; specific retention periods now found in product documentation.
Removed detailed explanation of Outlook and OneDrive deletion workflows and 30-day post-deletion retention window; general reference to deletion process now appears only in product documentation.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
The policy no longer explains in one place how Microsoft decides how long to keep your data; instead you must consult individual product documentation.
Microsoft consolidated retention rationale language and moved specific retention period specifications from the main privacy statement to product-level documentation. This change may affect how organizations document their compliance with data retention principles under GDPR Article 5(1)(e) (storage limitation) and similar retention frameworks. Organizations relying on Microsoft's published retention criteria for vendor assessment or DPA compliance should review the referenced product documentation to confirm retention periods remain consistent with prior disclosures. No new substantive retention obligations appear to be created, but the structure of how retention commitments are disclosed has changed.
GDPR (Article 5(1)(e) storage limitation principle, Article 13-14 transparency requirements), CCPA (Cal. Civ. Code sections 1798.100-1798.120 regarding data retention and transparency), UK GDPR (parallel to GDPR Article 5), data retention laws applicable in jurisdictions where Microsoft operates.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001197.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherMicrosoft updated three passages in its Responsible AI Principles on April 19, 2026. The first change revised the opening tagline …
Microsoft updated three phrases in its Responsible AI document. The opening tagline changed from 'Build your business with trustworthy AI' …
Microsoft modified its data retention policy language on April 19, 2026. Previously, the policy described specific retention criteria including whether …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.