What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This statement explicitly engages GDPR (EU/EEA and UK), a range of U.S. state privacy laws including CCPA (California), and COPPA for users under 13. The statement references Standard Contractual Clauses as a cross-border data transfer mechanism for EU data. Enforcement authorities include the FTC at the federal level in the U.S., state attorneys general under applicable state privacy statutes, EU data protection authorities, and the UK ICO. The statement's reliance on…

How does Microsoft Azure's Microsoft Privacy affect users?

The document establishes that Microsoft collects and processes personal data across device identifiers, location, browsing and search history, voice data, and communications content for purposes including advertising, personalization, and AI model improvement. For Copilot and AI-powered features, the document permits use of prompts and generated content to improve AI models subject to applicable settings and controls. The document authorizes users to access, review, adjust privacy settings, opt…

How often is Microsoft Azure's Microsoft Privacy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Microsoft Azure updates this document?

Yes. Monitor subscribers ($19/month) can add Microsoft Azure to their watchlist and receive same-day email alerts whenever this document or any other Microsoft Azure document changes.

CA-D-000018

Microsoft Privacy

Microsoft Azure

Last change detected June 26, 2026 Privacy policy

SHA-256: a3a7fb99f977d2ae14f… 6 versions captured 5 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Microsoft Azure ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

7 Medium severity

2 Low severity

Summary

This document establishes Microsoft's privacy practices across its consumer and enterprise products, including Windows, Microsoft 365, Bing, Xbox, Cortana, Teams, and Copilot. The policy authorizes Microsoft to collect personal data including names, location, device identifiers, browsing and search history, voice recordings, and file and communication content, and to use this data for product operation, advertising, product improvement, and AI model development. The policy specifies that users may review, adjust, and delete personal data through the Microsoft privacy dashboard at account.microsoft.com/privacy.

Technical / Legal Breakdown

This document is Microsoft's global Privacy Statement, last updated March 2026, governing the collection, use, and sharing of personal data across Microsoft's consumer and enterprise products and services, with its legal basis rooted in consent, contractual necessity, legitimate interests, and legal obligation depending on jurisdiction. The statement asserts that Microsoft collects a broad range of personal data including name, contact information, device and usage data, location, biometric data (voiceprints and facial recognition in applicable products), browsing history, search queries, and content of communications, and the terms authorize use of this data for product improvement, personalization, advertising, and security purposes. Notably, the statement includes specific provisions for AI and Copilot capabilities, enterprise online services, children's data, and U.S. state-level privacy rights, and it distinguishes between Microsoft acting as a data controller for consumer products and as a data processor when enterprise customers deploy its services, a distinction that materially affects which rights consumers can exercise directly against Microsoft. The statement engages GDPR for EU/EEA users, CCPA and a range of U.S. state privacy laws for U.S. residents, COPPA for children under 13, and relevant frameworks in other jurisdictions; the statement acknowledges that data may be transferred internationally and that Microsoft relies on Standard Contractual Clauses and other transfer mechanisms. Material compliance considerations include the breadth of data collected for AI and Copilot features, the layered controller-processor structure in enterprise contexts, and Microsoft's stated reliance on legitimate interests as a processing basis in some contexts, which may require evaluation under GDPR's balancing test.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

5 important changes detected

6 versions captured · Last updated: June 2026

June 26, 2026

low

What changed Microsoft updated its Privacy Statement on June 26, 2026, restructuring and revising 879 sentences while adding 211 new ones across 1,628 total sentences. The company reorganized the document's table of contents, renaming sections such as 'Reasons we share personal data' to 'Reasons we disclose personal data' and 'Where we store and process personal data' to 'Storage and processing of personal data.' The statement now emphasizes that 'Your privacy is important to Microsoft' rather than 'us,' and uses first-person plural language throughout ('we process' instead of 'Microsoft processes'). Microsoft states the refresh makes the policy 'easier to read, navigate, and understand, with clearer explanations of how we use data and the choices available to you.'

Why this matters Microsoft restructured its privacy statement on June 26, 2026, with extensive revisions to wording and organization. The core document now uses clearer first-person language ('we process' instead of 'Microsoft processes') and reorganizes sections for improved navigation. Microsoft states the refresh was designed to make the policy 'easier to read, navigate, and understand, with clearer explanations of how we use data and the choices available to you.' The substantive scope of what personal data Microsoft collects and how it processes that data does not appear materially altered by these revisions based on the change summary provided.

View full change record →

April 19, 2026

medium

What changed Microsoft Azure updated its privacy policy on April 19, 2026, making several changes to how it handles your data and communicates with you. The company added language stating it may contact you by phone using automated dialers and AI-generated voices if you consent to marketing communications. It also simplified and reorganized its data retention section, clarifying that it keeps your data while you use its services and for business, legal, and security purposes, but removed some specific examples and details about how long it retains different types of information.

Why this matters Microsoft now discloses that it may contact you by phone for marketing using automated dialers and AI-generated voices if you have consented to marketing communications, which represents a new disclosure of contact method and technology type. The company has also reorganized its data retention policy to state it retains data for broader business purposes including improving products and protecting systems, while removing previous specific examples and retention criteria, making it less clear exactly how long specific types of your data will be kept. You should review your consent settings for marketing communications and verify what contact methods you have authorized, particularly if you have concerns about automated or AI-generated calls.

View full change record →

April 1, 2026 medium

Microsoft revised how it explains data retention. Previously, the policy listed specific criteria for deciding how long to keep data, including examples like documents in OneDrive. Now the policy provides …

View change record →

March 13, 2026 low

Microsoft Azure's privacy policy now discloses that if you consent to receive marketing communications via phone, the company may contact you using automated dialing systems and artificial or prerecorded voices, …

View change record →

March 6, 2026 medium

Microsoft updated its data retention policy on March 6, 2026, to provide more specific guidance on how long it keeps your data and under what circumstances. The new language clarifies …

View change record →

Recent Provision Changes Jun 26, 2026

Added (5)

Personal Data Collection Scope Medium

New foundational provision establishing the scope and sources of data collection including direct provision, behavioral tracking, contextual collection, and third-party sources.

Controller-Processor Distinction in Enterprise Contexts Medium

New clarification distinguishing Microsoft's role as processor versus controller in enterprise contexts, establishing that client organizations retain data control authority.

U.S. State Data Privacy Rights Medium

New provision addressing state-level privacy rights under emerging U.S. state privacy laws including access, correction, deletion, portability, and opt-out rights for sales and targeted advertising.

Advertising and Interest-Based Targeting Medium

New provision detailing use of data for personalization, recommendations, and interest-based advertising with acknowledgment of promotional communications.

Changes to the Privacy Statement Low

New provision establishing notification procedures for material privacy statement changes, including prominent notice posting and direct notification requirements.

Removed (5)

Behavioral Profiling for Targeted Advertising

High-severity provision on behavioral profiling removed, likely consolidated into the new 'Advertising and Interest-Based Targeting' provision with lower medium severity.

Third-Party Data Sharing

High-severity provision on third-party data sharing removed entirely, with only implicit reference remaining in the new 'Personal Data Collection Scope' provision about obtaining data from third parties.

Consumer Data Rights (Access, Correction, Deletion, Portability)

General consumer rights provision removed and replaced with jurisdiction-specific 'U.S. State Data Privacy Rights' provision reflecting regulatory evolution toward state-level privacy laws.

Voice and Biometric Data Collection

High-severity provision on biometric and voice data collection removed without explicit replacement, potentially subsumed under broader 'Personal Data Collection Scope' provision.

Location Data Collection

High-severity provision on location data collection removed without explicit replacement, representing potential downgrade in transparency regarding sensitive location tracking practices.

Modified (5)

AI and Copilot Data Use

Provision changed from empty excerpt to detailed specification of AI data collection including prompts, content, responses, and usage patterns with explicit purposes.

Children's Data and Parental Consent

Severity downgraded from high to medium and provision now includes specific contact procedure and deletion commitment with explicit age threshold of 13.

Cookies and Tracking Technologies

Provision changed from empty excerpt to detailed explanation of cookie functionality including preference storage, sign-in, interest-based advertising, fraud prevention, and performance analysis.

Cross-Border Data Transfers

Provision changed from empty excerpt to comprehensive disclosure of global data transfers with explicit mention of U.S. transfers and acknowledgment of different data protection standards.

Data Retention Policy

Severity downgraded from medium to low and provision expanded from empty excerpt to specify retention purposes including legal compliance, dispute resolution, and agreement enforcement with acknowledgment of variation by product.

View full change record →

High — 1 provision

AI and Copilot Data Use Compare →

When you use Microsoft's Copilot or other AI-powered features, Microsoft collects your prompts (the questions or instructions you type), the AI's responses, and data about how you interact with those features, and may use this data to improve its AI products.

Added May 10, 2026 Standard Seen across 284 platforms

Medium — 7 provisions

Personal Data Collection Scope Compare →

Microsoft collects personal data about you from multiple sources: directly from you, automatically through how you use its products, and from third-party sources. The type and volume of data depends on which Microsoft products you use and your privacy settings.

Added May 10, 2026 Standard Seen across 284 platforms
Controller-Processor Distinction in Enterprise Contexts Compare →

When your employer or school provides you with Microsoft products (like Microsoft 365 or Teams), your employer is in charge of your data, not Microsoft directly. This means your privacy rights in that context must be exercised through your employer, not Microsoft.

Added May 10, 2026 Standard Seen across 284 platforms
Children's Data Collection and Parental Consent Compare →

Microsoft states it does not intentionally collect personal data from children under 13. If a parent discovers their child has provided data to Microsoft without consent, they can request deletion by contacting Microsoft.

Added May 10, 2026 Standard Seen across 284 platforms
U.S. State Data Privacy Rights Compare →

Depending on which U.S. state you live in, you may have the right to access, correct, delete, or export your personal data that Microsoft holds, and to opt out of targeted advertising or automated decision-making using your data.

Added April 27, 2026 Standard Seen across 284 platforms
Advertising and Interest-Based Targeting Compare →

Microsoft uses your personal data to serve you targeted advertisements and marketing, including by personalizing ads based on your browsing behavior, interests, and usage of Microsoft products.

Added May 10, 2026 Standard Seen across 284 platforms
Cross-Border Data Transfers Compare →

When you use Microsoft products, your data may be stored and processed in the United States or other countries that may have different privacy laws than where you live, including potentially weaker protections.

Added April 27, 2026 Standard Seen across 284 platforms
Cookies and Tracking Technologies Compare →

Microsoft places cookies and similar tracking technologies on your device when you use its websites and services, which are used for purposes including advertising, fraud prevention, sign-in, and analyzing how you use its products.

Added May 10, 2026 Standard Seen across 284 platforms

Low — 2 provisions

Data Retention Compare →

Microsoft keeps your personal data for as long as it needs to provide its services, comply with legal requirements, or resolve disputes, but the actual length of time varies by data type and product and is not specified in specific timeframes.

Added May 10, 2026 Standard Seen across 284 platforms
Changes to the Privacy Statement Compare →

Microsoft can update this privacy policy at any time and will notify users of material changes either by posting a notice on its website or by sending a direct notification, but non-material changes may occur with only a date update.

Added May 10, 2026 Standard Seen across 284 platforms

Monitoring

Microsoft Azure has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle AI and Copilot Data Use and similar clauses.

Compare across platforms →

Archival ProvenanceSource & Archival Record

Last Captured June 26, 2026 01:20 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000018

Version ID CA-V-004258

Source URL https://privacy.microsoft.com/en-us/privacystatement

Wayback Machine View external archival references →

SHA-256 a3a7fb99f977d2ae14f447ab7e52f1c477cd5691d398dcc03912937b3b4f556a

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Microsoft Privacy

June 26, 2026

April 19, 2026

Recent Provision Changes Jun 26, 2026

Monitor governance changes across the platforms you rely on.