Summary
This is Microsoft's main privacy policy, covering every Microsoft product and service you use — from Windows and Xbox to Bing, Teams, Copilot, and Microsoft 365. The most important thing to know is that Microsoft collects a wide range of data about you including your location, voice recordings, browsing history, search queries, and what you type or say to AI tools like Copilot, and uses this data for advertising and product improvement unless you actively opt out. You can review and adjust your privacy settings, delete your data, or opt out of interest-based advertising at account.microsoft.com/privacy.
Technical Summary
This document is Microsoft's global Privacy Statement (last updated March 2026), governing data collection, use, and sharing across all Microsoft consumer and enterprise products and services, with legal bases including consent, contractual necessity, legitimate interests, and legal obligation under GDPR Art. 6. The statement creates obligations for Microsoft to provide data access, correction, deletion, portability, and objection rights to users, while authorizing broad collection of behavioral, biometric (voice), location, browsing, diagnostic, and inferred data across connected products. Notable deviations from a minimal-collection standard include the collection of voice data to improve speech recognition, advertising-related cross-context behavioral profiling via Bing and MSN, and the use of AI/Copilot interaction content (prompts and outputs) for product improvement, with opt-out mechanisms that vary in accessibility by product. The statement engages GDPR (EU/EEA), UK GDPR, CCPA/CPRA (California), Washington My Health Data Act, and other U.S. state privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon), with Microsoft serving as both data controller and, for enterprise services, data processor. Material compliance considerations include ensuring lawful transfer mechanisms for cross-border data flows (SCCs, adequacy decisions), verifying that AI/Copilot data use disclosures satisfy GDPR Art. 13/14 transparency requirements, and confirming that children's data protections meet COPPA and applicable age-verification standards across all products.
Analyzed Changes
5 changes analyzed since monitoring began.
What changed
Microsoft updated their Microsoft Privacy Statement (Legacy) on April 08, 2026. Change detected: 1 sentence(s) modified. Document contained 2296 sentences after update.
Consumer impact
Microsoft made a cosmetic formatting change to the header of its Privacy Statement page, adding a 'Privacy' navigation label. No substantive policy language was altered, and this change does not affect how your personal data is collected, used, or shared. There is no action required in response to this update.
Why it matters
This change is purely cosmetic and does not affect any privacy rights or data practices. Users do not need to take any action.
What changed
Microsoft updated their Microsoft Privacy Statement (Legacy) on April 01, 2026. Change detected: 1 sentence(s) added, 11 sentence(s) removed, 9 sentence(s) modified. Document contained 2296 sentences after update.
Consumer impact
Microsoft's updated Privacy Statement is less specific about what triggers shorter data retention periods for sensitive information like geolocation. The old version explicitly stated that sensitive data or data lacking an automated deletion control would result in shorter retention, giving users clearer expectations. The new version groups these considerations into broader categories, reducing transparency about exactly how long specific types of your personal data may be stored.
Why it matters
Microsoft has made its data retention rules less specific, removing explicit protections that previously limited how long sensitive data could be kept. This reduces users' ability to predict or challenge how long their personal information is stored.
What changed
Microsoft updated their Microsoft Privacy Statement (Legacy) on March 13, 2026. Change detected: 1 sentence(s) added, 2 sentence(s) removed, 1 sentence(s) modified. Document contained 2306 sentences after update.
Consumer impact
Microsoft has added language allowing it to use auto-dialers and AI-generated or prerecorded voices to contact you for marketing purposes if you've provided a phone number and consented to marketing communications. Additionally, language previously granting extra rights to users in the European Economic Area has been removed, which may reduce protections for those users. You can review and withdraw any consent you've given for marketing communications in your Microsoft account settings to avoid being contacted by automated or AI-generated calls.
Why it matters
Microsoft can now use automated systems and AI-generated voices to call you for marketing — a significant expansion of how your phone number can be used. The simultaneous removal of EEA rights language means European users may have fewer explicitly stated protections than before.
What changed
Microsoft updated their Microsoft Privacy Statement (Legacy) on March 05, 2026. Change detected: 2 sentence(s) added, 1 sentence(s) modified. Document contained 2307 sentences after update.
Consumer impact
Microsoft has updated its data retention policy to comply with new regulatory requirements taking effect in March 2026, which may change how long your personal data is stored. Users in the European Economic Area are explicitly granted additional privacy rights under this updated policy. You can review Microsoft's updated privacy statement to understand what new rights apply to you, particularly if you are located in the EEA.
Why it matters
EEA users now have explicitly stated additional privacy rights under Microsoft's updated policy, which could include new or enhanced controls over their personal data. The retention policy change may also affect how long Microsoft holds data for all users, with compliance implications for any organization that relies on Microsoft's stated retention practices in its own privacy documentation.
What changed
Microsoft updated their privacy Statement on March 05, 2026. Change detected: minor structural change detected. Document contained 2305 sentences after update.
Consumer impact
Microsoft made a minor structural update to its Privacy Statement on March 5, 2026, likely involving reorganization or light rewording rather than any substantive change to how your data is collected or used. There is no indication that new data rights were added or removed, or that any consumer-facing protections changed. No immediate action is required from consumers at this time.
Why it matters
Even minor structural changes to a major platform's privacy statement can occasionally mask substantive updates, making it worth logging and monitoring. In this case, no material impact on consumer data rights or protections has been identified.