10 Total
0 High severity
8 Medium severity
2 Low severity
Summary

This document establishes Microsoft's privacy practices across its product portfolio including Windows, Microsoft 365, Bing, Xbox, Copilot, Teams, and Azure, and specifies categories of personal data collected such as identifiers, location, voice recordings, browsing history, and user-created content. The statement authorizes Microsoft to process personal data for advertising, product improvement, and AI model development, and permits disclosure to advertising and analytics partners. The document outlines data subject rights including access, correction, deletion, and objection mechanisms available to EU, UK, and U.S. state residents, with management and requests processed through account.microsoft.com/privacy.

Technical / Legal Breakdown

This document is the Microsoft Privacy Statement (last updated March 2026), governing the collection, use, and sharing of personal data across Microsoft's consumer and enterprise products, services, websites, and applications, with legal bases including consent, contract performance, legitimate interests, and legal obligation depending on jurisdiction. The statement authorizes collection of identifiers, device and configuration data, browsing and search history, location data, voice and audio recordings, content and communications data, and inferences drawn from these categories; it also authorizes use of this data for product improvement, personalization, advertising, security, and AI model development, and sharing with subsidiaries, affiliates, advertising partners, analytics providers, and other third parties as described. Notably, the statement covers a broad spectrum of Microsoft products simultaneously under a single umbrella document, including AI and Copilot capabilities, enterprise services, consumer productivity apps, gaming (Xbox), and health-related features, creating jurisdiction-dependent variation in how specific provisions apply; the document asserts data use for AI and Copilot improvement and personalization, which may engage emerging regulatory frameworks in ways the statement does not fully resolve. The statement explicitly references GDPR applicability for EU and UK users, CCPA and U.S. state privacy law applicability for qualifying residents, and COPPA-related protections for children under 13; Microsoft's EU and UK Data Protection Officer contact is disclosed, and the statement describes standard mechanisms such as data subject access requests, deletion rights, and opt-out controls available through the Microsoft Privacy Dashboard and account settings.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

10 important changes detected

10 versions captured · Last updated: June 2026

June 30, 2026

unknown
What changed Microsoft updated their Microsoft Privacy Statement (Legacy) on June 30, 2026. Change detected: 1 sentence(s) modified. Document contained 1628 sentences after update.
View full change record →
What changed Microsoft's Privacy Statement table of contents was reorganized on June 28, 2026. Several product and feature references were relocated or renamed within the document structure: 'Microsoft Family' became 'Microsoft Family Safety', 'Phone Link - Link to Windows' became 'Linked Mobile Experiences on Windows', and several other entries were repositioned. The substantive privacy disclosures and policies themselves remain unchanged; this appears to be a reorganization of how products and features are presented in the navigation structure.
Why this matters This change does not materially alter Microsoft's privacy practices or user rights. The Privacy Statement's table of contents was reorganized, and some product feature names were adjusted for clarity (for example, 'Microsoft Family' is now labeled 'Microsoft Family Safety' in the navigation). The underlying privacy disclosures, data collection practices, and user controls remain as previously stated.
View full change record →

June 26, 2026 unknown

Microsoft updated their Microsoft Privacy Statement (Legacy) on June 26, 2026. Change detected: 211 sentence(s) added, 879 sentence(s) removed, 796 sentence(s) modified. Document contained 1628 sentences after update.

View change record →
April 19, 2026 medium

Microsoft modified its data retention policy language on April 19, 2026. Previously, the policy described specific retention criteria including whether customers expected data to be retained until they removed it, …

View change record →
April 8, 2026 low

Microsoft's Privacy Statement was updated on April 8, 2026, with 2 sentences added, 11 sentences removed, and 10 sentences modified. The document previously contained specific language across these sections that …

View change record →
April 1, 2026 medium

Microsoft revised its data retention policy language on April 1, 2026. Previously, the policy outlined specific retention criteria including whether customers expected data retention until deletion, whether automated deletion controls …

View change record →
March 13, 2026 medium

Microsoft updated its Privacy Statement in March 2026 with two substantive changes: removal of language describing additional rights for European Economic Area users, and addition of language authorizing contact via …

View change record →
March 5, 2026 low

Microsoft added two sentences to its Privacy Statement on March 5, 2026, stating that it has updated its data retention policy to reflect new regulatory requirements effective March 2026, and …

View change record →
March 5, 2026 low

Microsoft removed two sentences from its Privacy Statement on March 5, 2026. Without access to the specific sentences that were deleted, the operational impact cannot be determined from the change …

View change record →
March 5, 2026 medium

Microsoft removed a sentence from its privacy statement that described consent-based marketing contact via auto-dialer and prerecorded voice technology potentially generated using AI. The updated document no longer explicitly discloses …

View change record →

Recent Provision Changes Jun 30, 2026

10 provisions unchanged.

View full change record →
Medium — 8 provisions
Low — 2 provisions

Monitoring

Microsoft has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle AI and Copilot Data Collection and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

BIPA
Illinois, USA
View official text ↗
CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
DMA
European Union
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
VPPA
United States Federal
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured June 30, 2026 00:03 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000001
Version ID CA-V-004314
SHA-256 8d2402a9a4edd754f7948aeb28481a87ee7f4865aafd1d3042de12dacd9ddc8c
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans