Microsoft shares your personal data with affiliated companies, vendors working on its behalf, and others including in response to legal requirements or in connection with corporate transactions such as mergers or acquisitions. Some sharing requires your consent; other sharing occurs without it under the described conditions.
This analysis describes what Microsoft's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The statement identifies multiple categories of third parties with whom personal data may be shared, including affiliates, service vendors, and parties in legal or corporate transaction contexts, which determines the breadth of entities that may access user data.
The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, th…
The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, prote…
The updated Privacy Statement removes previously stated language about additional rights available to European Economic Area users, narrowing the policy's explicit protections in that region. Simulta…
Your personal data collected through Microsoft products may be shared with Microsoft subsidiaries, service providers, and others in circumstances including legal compliance and corporate transactions. Users seeking to understand who receives their data can review the statement's list of sharing categories.
How other platforms handle this
When you ask us to open an Account, we or someone acting for us will ask for information about you and where the money you will put in your Account comes from. We do this for a number of reasons, including to check your credit score and identity, and to meet our legal and regulatory requirements. Ou...
We may share your personal information with third parties, including service providers, financial institutions, regulatory authorities, and fraud prevention agencies, where necessary to provide our services, comply with legal obligations, or protect against fraud and financial crime.
We may share your information with third-party advertising partners to provide you with targeted advertising. We also work with third-party analytics providers who help us understand how users interact with our Services. These third parties may use cookies, web beacons, and similar tracking technolo...
Monitoring
Microsoft has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We share your personal data with your consent or as necessary to complete any transaction or provide any product you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors or agents working on our behalf; when required by law or to respond to legal process; to protect the rights or property of Microsoft or our customers, including enforcing the agreements governing the use of the services; and in connection with a merger, acquisition, or sale of assets.— Excerpt from Microsoft's Microsoft Privacy Statement (Legacy)
REGULATORY LANDSCAPE: Third-party data sharing engages GDPR requirements on data transfers to third parties including processors and controllers, and EU standard contractual clauses for international transfers; CCPA requirements on disclosure of third-party sharing categories and opt-out rights for sharing constituting a sale; and FTC Act requirements on accuracy of sharing representations. Enforcement authorities include EU data protection authorities, the California Privacy Protection Agency, and the FTC. GOVERNANCE EXPOSURE: Medium. The statement's description of sharing categories is broad; compliance teams must assess whether specific sharing arrangements are covered by appropriate contractual protections, including data processing agreements for vendors and standard contractual clauses for international transfers. JURISDICTION FLAGS: GDPR Chapter V requirements for international data transfers apply where data is transferred outside the EU and EEA. CCPA requires disclosure of specific categories of third parties to whom personal information is disclosed. The merger and acquisition carve-out for data sharing is standard but warrants monitoring in the event of a significant corporate transaction. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Microsoft as a vendor should assess whether data processing agreements adequately address sub-processor relationships implied by the vendor sharing described in this provision. Sub-processor lists and notification obligations should be reviewed. COMPLIANCE CONSIDERATIONS: Compliance teams should maintain a current sub-processor and third-party sharing inventory aligned with this provision; verify that international transfer mechanisms (standard contractual clauses or equivalent) are in place; and assess whether the merger and acquisition sharing carve-out requires notification obligations under applicable law.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The statement identifies multiple categories of third parties with whom personal data may be shared, including affiliates, service vendors, and parties in legal or corporate transaction contexts, which determines the breadth of entities that may access user data.
Your personal data collected through Microsoft products may be shared with Microsoft subsidiaries, service providers, and others in circumstances including legal compliance and corporate transactions. Users seeking to understand who receives their data can review the statement's list of sharing categories.
ConductAtlas has identified this type of provision across 6 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.