Microsoft Affiliate Data Sharing

What it is

Because Activision is now owned by Microsoft, your personal data may be shared with Microsoft and its many subsidiaries for business purposes.

Why it matters (compliance & governance perspective)

The Microsoft corporate family is one of the world's largest technology ecosystems; data sharing within this family substantially expands the potential uses and integrations of your Activision personal data beyond the gaming context.

Consumer impact (what this means for users)

Personal data collected through Activision games and services may be shared with Microsoft Corporation and its subsidiaries, potentially enabling integration with Microsoft's advertising, cloud, and enterprise platforms depending on the operational purposes cited.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Intra-group data sharing within a multinational corporate family engages GDPR Chapter V on cross-border transfers (where data flows from EEA entities to US Microsoft entities), CCPA/CPRA disclosure requirements for categories of third parties receiving personal information, and potentially COPPA where children's data is involved. The lawful basis for intra-group sharing under GDPR must be independently established and cannot rely solely on corporate affiliation. (2) GOVERNANCE EXPOSURE: Medium. The stated purpose of 'business and operational purposes' is broad and may not provide sufficient specificity under GDPR Article 13 transparency requirements. The policy does not enumerate which Microsoft subsidiaries receive data or for which specific operational purposes, creating governance ambiguity about the actual data flows within the Microsoft ecosystem. (3) JURISDICTION FLAGS: EU and UK users face the highest exposure given cross-border transfer requirements for data flows to US-based Microsoft entities. Standard Contractual Clauses or binding corporate rules must cover these transfers and transfer impact assessments may be required post-Schrems II. California residents are entitled to know the categories of affiliated companies receiving their data under CCPA. (4) CONTRACT AND VENDOR IMPLICATIONS: Following the Microsoft acquisition, existing data processing agreements, privacy notices, and transfer mechanisms may require updating to reflect new data flows within the Microsoft corporate family. Procurement and legal teams at B2B partners should assess whether their own contracts with Activision contemplate sub-processing by Microsoft entities. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map all intra-group data flows to Microsoft subsidiaries, ensure transfer mechanisms are current and cover the expanded affiliate network, update GDPR Article 13/14 disclosures to name or categorize Microsoft subsidiaries receiving personal data, and assess whether intra-group data sharing for advertising or product improvement requires explicit consent rather than legitimate interests as a lawful basis.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Collection of Voice and Chat Data high
• Sharing with Advertising and Analytics Partners high
• Children's Privacy and Parental Consent high
• California Opt-Out Rights (CCPA/CPRA) medium
• Cross-Border Data Transfers medium
• Gameplay and Behavioral Data Collection medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.