Microsoft updated how it explains data retention in its privacy statement on April 1, 2026. Previously, the policy listed specific criteria — like whether users expected data to persist or whether sensitive data types warranted shorter retention — in a more detailed, consumer-facing format. The updated version simplifies and reorganizes this section, replacing granular examples and criteria with broader categories, which may make it harder for users to understand exactly how long their data is kept.
Microsoft removed specific details about how long it keeps your data — including a concrete 30-day window after deleting emails and explicit protections for sensitive data — replacing them with vague, general language. This makes it harder for users and regulators to hold Microsoft accountable to specific retention commitments.
Microsoft changed the section of its privacy policy explaining how long it keeps your personal data, replacing specific examples and criteria with broader, more general language. The updated policy removes details like the 30-day grace period after emptying your Outlook Deleted Items folder and the explicit mention of sensitive data types warranting shorter retention, making it harder to know exactly how your data is handled. You can review your data and manage retention settings directly through the Microsoft Privacy Dashboard at account.microsoft.com/privacy.
Microsoft revised its data retention disclosure on April 1, 2026, consolidating and generalizing the criteria it uses to determine how long personal data is kept. The change removes specific retention examples (e.g., the 30-day post-deletion window for Outlook) and explicit references to shortened retention for sensitive data types, replacing them with broader principle-based language. This touches Art. 13(2)(a) and Art. 5(1)(e) GDPR (storage limitation principle) and equivalent CCPA/CPRA disclosure obligations. Compliance officers with Microsoft in their vendor stack should assess whether their own privacy notices referencing Microsoft retention timelines need updating. Action likely required for EU-facing organizations.
1. GDPR Art. 5(1)(e) — Storage limitation principle: Controllers must ensure personal data is kept no longer than necessary. Microsoft's shift to vaguer retention language may reduce the specificity required by regulators interpreting this principle.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000208.
ConductAtlas Policy Archive Entity: Microsoft | Document: Microsoft Privacy Statement (Legacy) | Record: CA-C-000208 Captured: 2026-04-01 06:02:34 UTC URL: https://conductatlas.com/change/2026-04-01-microsoft-microsoft-privacy-statement-legacy-208/ Accessed: April 4, 2026
Microsoft updated their Responsible AI Principles page on March 13, 2026, making three small changes to how they describe their …
Microsoft updated its Privacy Statement on March 13, 2026 to disclose that if you provide a phone number and consent …
Microsoft updated its Responsible AI page on March 13, 2026, making three small wording changes. The section promoting trustworthy AI …
Create a free account and add Microsoft to your watchlist. We'll email you the moment something changes.