What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This statement engages GDPR (EU and UK) with Microsoft disclosing its EU Data Protection Officer and referencing standard GDPR mechanisms including data subject rights and lawful bases for processing; it engages CCPA and other U.S. state privacy laws for qualifying residents; COPPA is implicated by the children's data section; the EU AI Act may be relevant to the AI and Copilot capabilities section given the processing of personal data for AI model training and inference, …

How does Microsoft's Microsoft Privacy Statement (Legacy) affect users?

The document establishes that Microsoft collects personal data across its services and uses such data for advertising targeting, product personalization, and AI model improvement. Users in the EU and UK operate under GDPR-based rights including data access, correction, deletion, and processing objection, while California and other U.S. state residents operate under state privacy law rights including opt-out mechanisms for data sales or sharing for targeted advertising. Data management, access r…

How often is Microsoft's Microsoft Privacy Statement (Legacy) updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Microsoft updates this document?

Yes. Watcher subscribers ($9.99/month) can add Microsoft to their watchlist and receive same-day email alerts whenever this document or any other Microsoft document changes.

CA-D-000001

Microsoft Privacy Statement (Legacy)

Microsoft

Last change detected April 19, 2026 Privacy policy

SHA-256: df6d59073298e33eb92… 7 versions captured 7 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Microsoft ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

8 Medium severity

2 Low severity

Summary

This document establishes Microsoft's privacy practices across its product portfolio including Windows, Microsoft 365, Bing, Xbox, Copilot, Teams, and Azure, and specifies categories of personal data collected such as identifiers, location, voice recordings, browsing history, and user-created content. The statement authorizes Microsoft to process personal data for advertising, product improvement, and AI model development, and permits disclosure to advertising and analytics partners. The document outlines data subject rights including access, correction, deletion, and objection mechanisms available to EU, UK, and U.S. state residents, with management and requests processed through account.microsoft.com/privacy.

Technical / Legal Breakdown

This document is the Microsoft Privacy Statement (last updated March 2026), governing the collection, use, and sharing of personal data across Microsoft's consumer and enterprise products, services, websites, and applications, with legal bases including consent, contract performance, legitimate interests, and legal obligation depending on jurisdiction. The statement authorizes collection of identifiers, device and configuration data, browsing and search history, location data, voice and audio recordings, content and communications data, and inferences drawn from these categories; it also authorizes use of this data for product improvement, personalization, advertising, security, and AI model development, and sharing with subsidiaries, affiliates, advertising partners, analytics providers, and other third parties as described. Notably, the statement covers a broad spectrum of Microsoft products simultaneously under a single umbrella document, including AI and Copilot capabilities, enterprise services, consumer productivity apps, gaming (Xbox), and health-related features, creating jurisdiction-dependent variation in how specific provisions apply; the document asserts data use for AI and Copilot improvement and personalization, which may engage emerging regulatory frameworks in ways the statement does not fully resolve. The statement explicitly references GDPR applicability for EU and UK users, CCPA and U.S. state privacy law applicability for qualifying residents, and COPPA-related protections for children under 13; Microsoft's EU and UK Data Protection Officer contact is disclosed, and the statement describes standard mechanisms such as data subject access requests, deletion rights, and opt-out controls available through the Microsoft Privacy Dashboard and account settings.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

7 important changes detected

7 versions captured · Last updated: April 2026

April 19, 2026

medium

What changed Microsoft modified its data retention policy language on April 19, 2026. Previously, the policy described specific retention criteria including whether customers expected data to be retained until they removed it, and whether automated deletion controls existed. The updated language simplifies retention guidance by stating that Microsoft retains personal data to provide services, fulfill transactions, and for legitimate purposes including legal obligations, business operations, and dispute resolution. The revised policy removes granular examples (like email deletion procedures) and instead directs users to product documentation, while adding new retention justifications around improving products, protecting systems, and customer safety.

Why this matters The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.

View full change record →

April 8, 2026

low

What changed Microsoft's Privacy Statement was updated on April 8, 2026, with 2 sentences added, 11 sentences removed, and 10 sentences modified. The document previously contained specific language across these sections that has now been condensed or reworded. Without access to the specific sentence-level diffs, the precise operational changes cannot be determined from this summary alone, though the net reduction in removal count suggests consolidation or simplification of certain privacy disclosures.

Why this matters Microsoft modified its Privacy Statement on April 8, 2026, through removal of 11 sentences, addition of 2 sentences, and revision of 10 existing sentences. The net effect appears to be consolidation or clarification of previously stated privacy practices. Without visibility into which specific privacy disclosures were removed or modified, the material operational impact on consumer rights or data practices cannot be fully assessed from the change count alone.

View full change record →

April 1, 2026 medium

Microsoft revised its data retention policy language on April 1, 2026. Previously, the policy outlined specific retention criteria including whether customers expected data retention until deletion, whether automated deletion controls …

View change record →

March 13, 2026 medium

Microsoft updated its Privacy Statement in March 2026 with two substantive changes: removal of language describing additional rights for European Economic Area users, and addition of language authorizing contact via …

View change record →

March 5, 2026 low

Microsoft added two sentences to its Privacy Statement on March 5, 2026, stating that it has updated its data retention policy to reflect new regulatory requirements effective March 2026, and …

View change record →

March 5, 2026 low

Microsoft removed two sentences from its Privacy Statement on March 5, 2026. Without access to the specific sentences that were deleted, the operational impact cannot be determined from the change …

View change record →

March 5, 2026 medium

Microsoft removed a sentence from its privacy statement that described consent-based marketing contact via auto-dialer and prerecorded voice technology potentially generated using AI. The updated document no longer explicitly discloses …

View change record →

Medium — 8 provisions

AI and Copilot Data Use for Model Improvement Compare →

When you use Microsoft's AI tools like Copilot, your prompts and the AI's responses may be used by Microsoft to improve its AI systems. This applies across Microsoft products that include AI features.

Added May 12, 2026 Common Seen across 104 platforms
Personal Data Collection Categories Compare →

Microsoft collects personal data you provide directly, data generated by how you use its products, and data obtained from third parties. The specific data collected depends on which Microsoft products you use and your privacy settings.

Added May 12, 2026 Standard Seen across 251 platforms
Advertising and Behavioral Targeting Compare →

Microsoft uses personal data it collects about you to select and display targeted advertisements, both for its own products and for third-party advertisers. It may also permit advertisers to use data collected on Microsoft platforms for their own advertising purposes.

Added April 9, 2026 Standard Seen across 246 platforms
Children's Data Collection and Parental Consent Compare →

Microsoft requires parental consent before collecting personal data from children under 13, and child accounts must be created with parent or guardian authorization. The Microsoft Family Safety product provides parental controls over children's digital activity on Microsoft platforms.

Added April 9, 2026 Standard Seen across 251 platforms
Voice and Audio Data Collection Compare →

Microsoft collects voice recordings when you use voice-enabled features like Cortana or dictation, and may use these recordings to improve speech recognition. You can delete voice data through your account settings.

Added May 12, 2026 Standard Seen across 251 platforms
U.S. State Data Privacy Rights Compare →

Residents of states including California, Colorado, Texas, Virginia, and others have legal rights to access, correct, delete, and opt out of the sale or sharing of their personal data under state privacy laws. Microsoft describes how to exercise these rights.

Added April 9, 2026 Standard Seen across 262 platforms
Data Sharing with Third Parties Compare →

Microsoft shares your personal data with affiliated companies, vendors working on its behalf, and others including in response to legal requirements or in connection with corporate transactions such as mergers or acquisitions. Some sharing requires your consent; other sharing occurs without it under the described conditions.

Added May 12, 2026 Standard Seen across 246 platforms
Enterprise and Organizational User Notice

If you access Microsoft products through a work or school account, your employer or school may be able to access your data, including emails and files, and control your account's privacy settings. Microsoft's privacy protections in this context are supplemented by your organization's own policies.

Added May 12, 2026 Rare

Low — 2 provisions

Data Retention Policy Compare →

Microsoft keeps your personal data for as long as it needs to provide services or meet legal obligations. The actual length of time data is kept varies by data type and product, and is not fixed to a specific period across all services.

Added April 9, 2026 Standard Seen across 223 platforms
Changes to the Privacy Statement Compare →

Microsoft may update this privacy statement at any time. For material changes, it states it will notify users by posting a notice or sending a direct notification before the changes take effect.

Added May 12, 2026 Standard Seen across 262 platforms