Microsoft shares your personal data across its family of products and services, and also shares data with third-party partners including advertisers, service providers, and app developers who integrate with Microsoft platforms.
Why it matters
Data you provide in one Microsoft product — such as Outlook or LinkedIn — may be shared with other Microsoft products and with external companies, expanding the reach of your personal information beyond what you might expect.
Third-party data sharing arrangements must be governed by appropriate data processing agreements under GDPR Art. 28 and CCPA service provider requirements; legal teams evaluating Microsoft as a data processor should audit the chain of sub-processors disclosed in Microsoft's online services terms.
🔒
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.
Consumer impact
Microsoft collects extensive personal data — including location, voice recordings, typed content, browsing history, and health-related data — across its entire product ecosystem, and uses this data for personalised advertising, product improvement, and AI model training. Data may be shared with third-party partners, advertisers, and other Microsoft-affiliated companies, and some data may be retained even after account deletion. You can review, download, or delete your personal data by visiting account.microsoft.com/privacy and adjusting settings via the Microsoft Privacy Dashboard.
What you can do
⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
Export Your Data
Visit the Microsoft Privacy Dashboard at account.microsoft.com/privacy, select 'Download your data', and choose the data categories you wish to export to review what Microsoft holds and shares about you.
Applicable agencies
Federal Trade Commission (ftc)
Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.
Who can file: Anyone affected by the company's practices (US or international)
What you need: Your account details, a timeline of relevant events, and a description of the specific issue
What to expect: Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation
State AGs in California, New York, Texas, and other states can investigate violations of state consumer protection and privacy laws, including CCPA (California), SHIELD Act (New York), and equivalents.
Who can file: Residents of states with comprehensive privacy laws — primarily California, Virginia, Colorado, Connecticut, and Utah
What you need: Evidence of the violation, explanation of how your state rights were affected, and your account or contact information with the company
What to expect: Outcomes vary by state. May result in investigation, enforcement action, or requirement for the company to change practices. No direct individual compensation in most cases.
Search "[your state] attorney general consumer complaint" to find your state's direct complaint form