What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://account.microsoft.com/privacy', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Log in to account.microsoft.com/privacy and use the data deletion tools to clear specific data categories such as search history, location data, and activity history. For account closure and comprehensive deletion, select 'Close my account' in account settings.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': "FTC has authority to enforce against deceptive data retention practices where Microsoft's vague retention periods do not match its actual data handling under FTC Act Section 5.", 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Data Retention Policy clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Data Retention Policy clauses across approximately 55 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Data Retention Policy — Microsoft

Share 𝕏 Share in Share

What it is

Microsoft keeps your personal data for as long as it needs to provide services and meet legal requirements, with actual retention periods varying significantly by data type and product.

Consumer impact (what this means for users)

Microsoft does not commit to specific retention periods for most data types, meaning personal data including browsing history, voice recordings, and AI interaction content could be retained indefinitely until a user actively requests deletion through account.microsoft.com/privacy.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Log in to account.microsoft.com/privacy and use the data deletion tools to clear specific data categories such as search history, location data, and activity history. For account closure and comprehensive deletion, select 'Close my account' in account settings.

How other platforms handle this

Zelle Medium

Length of business/commercial relationship plus up to 10 years (for B2B Personal Information received via a form on the Website to become a Network Financial Institution or Service Provider)

Snapchat Medium

In some cases we need to comply with legal requirements to store your data which stops us from deleting your information. For example, if we receive a notice from a court asking us to keep a copy of your content. Other reasons we may keep a copy of your data are if we get reports of abuse or other T...

X Medium

If you follow the instructions here, your account will be deactivated and your data will be queued for deletion. When deactivated, your X account, including your display name, username, and public profile, will no longer be viewable on X.com, X for iOS, and X for Android. For up to 30 days after dea...

See all platforms with this clause type →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Vague retention periods mean your data may be held by Microsoft for years beyond your active use of a product, and without clear timeframes, it is difficult for consumers or regulators to assess compliance with data minimization principles.

View original clause language

Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types in the context of different products, actual retention periods can vary significantly. The criteria used to determine the retention period include: whether the data is necessary to provide the service; whether customers have provided, created, or maintained the data; whether Microsoft can achieve a legitimate purpose; whether the data is sensitive; and whether the user has provided consent for a longer retention period.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision implicates GDPR Art. 5(1)(e) (storage limitation — data must be kept no longer than necessary for the specified purpose); GDPR Art. 17 (right to erasure); CCPA/CPRA §1798.100(b) (right to know retention periods); and various sector-specific retention regulations (HIPAA 45 C.F.R. §164.530(j) for health data; SOX for financial records). GDPR requires that retention periods or criteria be communicated to data subjects under Arts. 13 and 14. Enforcement by EU DPAs, California CPPA.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

FTC has authority to enforce against deceptive data retention practices where Microsoft's vague retention periods do not match its actual data handling under FTC Act Section 5.
File a complaint →

Applicable regulations

CCPA/CPRA

California, USA

FCRA

United States Federal

GDPR

European Union

GLBA

United States Federal

HIPAA

United States Federal

UK GDPR

United Kingdom

Provision details

Document information

Document

Microsoft Privacy Statement (Legacy)

Entity

Microsoft

Document last updated

March 5, 2026

Tracking information

First tracked

April 28, 2026

Last verified

April 28, 2026

Record ID

CA-P-002501

Document ID

CA-D-00001

Evidence Provenance

Source URL

https://www.microsoft.com/en-us/privacy/privacystatement

Wayback Machine

View archived versions →

SHA-256

9e697464d17b7148c787f07099c60e30370abb2b13a7f2a910f607e31ec13158

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Microsoft | Document: Microsoft Privacy Statement (Legacy) | Record: CA-P-002501
Captured: 2026-04-28 08:11:57 UTC | SHA-256: 9e697464d17b7148…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/data-retention-policy/
Accessed: April 29, 2026

Classification

Severity

Medium

Data Retention Policy

What it is

Consumer impact (what this means for users)

What you can do

Why it matters (compliance & risk perspective)

Institutional analysis (Compliance & legal intelligence)

Applicable agencies

Applicable regulations

Provision details

Other provisions in this document