What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://account.microsoft.com/privacy/ad-settings', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': "Sign in to your Microsoft account, go to Privacy Dashboard, select 'Ad settings', and toggle off 'See personalised ads in your browser' and 'See personalised ads wherever I use my Microsoft account'.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC oversees unfair or deceptive advertising practices and has issued guidance on behavioural advertising and consumer data use.', 'full_name': 'Federal Trade Commission (FTC)', 'description': 'Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.', 'who_can_file': "Anyone affected by the company's practices (US or international)", 'complaint_url': 'https://reportfraud.ftc.gov/', 'what_you_need': 'Your account details, a timeline of relevant events, and a description of the specific issue', 'what_to_expect': 'Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation'}, {'agency': 'State_AG', 'reason': 'California residents have CCPA opt-out rights regarding sale or sharing of personal data for advertising purposes enforceable by the California AG.', 'full_name': 'State Attorney General', 'description': 'State AGs in California, New York, Texas, and other states can investigate violations of state consumer protection and privacy laws, including CCPA (California), SHIELD Act (New York), and equivalents.', 'who_can_file': 'Residents of states with comprehensive privacy laws — primarily California, Virginia, Colorado, Connecticut, and Utah', 'complaint_url': 'Search "[your state] attorney general consumer complaint" to find your state\'s direct complaint form', 'what_you_need': 'Evidence of the violation, explanation of how your state rights were affected, and your account or contact information with the company', 'what_to_expect': 'Outcomes vary by state. May result in investigation, enforcement action, or requirement for the company to change practices. No direct individual compensation in most cases.'}

What is the severity of this clause?

ConductAtlas classifies this Targeted Advertising Using Personal Data clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Targeted Advertising Using Personal Data — Microsoft

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Microsoft Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Microsoft uses data about you — including your browsing history, search queries, location, and interests — to show you personalised advertisements across its products and partner networks.

ⓘ

This analysis describes what Microsoft's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Your online behaviour across Microsoft's ecosystem is aggregated to build an advertising profile used to target you with ads, which may include data from multiple services you use.

Recent Activity

This document changed recently

Medium Apr 19, 2026

The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.

View change record →

Medium Apr 1, 2026

The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, protecting system and customer safety, and resolving disputes. Previously, the policy articulated specific criteria for determining retention periods, including customer expectations for retention until manual deletion, availability of automated deletion controls, and data sensitivity. The revised language removes these granular criteria and instead requires users to consult individual product documentation to understand when their specific data will be deleted. This shifts the burden of finding retention timelines from the main policy statement to separate product-specific documents.

View change record →

Medium Mar 13, 2026

The updated Privacy Statement removes previously stated language about additional rights available to European Economic Area users, narrowing the policy's explicit protections in that region. Simultaneously, the revised terms now explicitly authorize Microsoft to contact users via auto-dialer and prerecorded voice for marketing purposes, provided the user has consented to receive marketing communications to the phone number supplied. This establishes Microsoft's contractual permission to initiate automated marketing calls using artificial intelligence-generated voice technology where user consent to marketing contact has been given.

View change record →

Consumer impact (what this means for users)

Microsoft collects extensive personal data — including location, voice recordings, typed content, browsing history, and health-related data — across its entire product ecosystem, and uses this data for personalised advertising, product improvement, and AI model training. Data may be shared with third-party partners, advertisers, and other Microsoft-affiliated companies, and some data may be retained even after account deletion. You can review, download, or delete your personal data by visiting account.microsoft.com/privacy and adjusting settings via the Microsoft Privacy Dashboard.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Sign in to your Microsoft account, go to Privacy Dashboard, select 'Ad settings', and toggle off 'See personalised ads in your browser' and 'See personalised ads wherever I use my Microsoft account'.

Cross-platform context

See how other platforms handle Targeted Advertising Using Personal Data and similar clauses.

Compare across platforms →

Monitoring

Microsoft has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

Targeted advertising based on behavioural profiling engages GDPR consent requirements under Art. 6(1)(a) and CCPA opt-out rights under Cal. Civ. Code § 1798.120; compliance teams should verify whether Microsoft's ad personalisation constitutes 'sale' or 'sharing' of personal information under CCPA.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

Federal Trade Commission (ftc)

Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.

Who can file: Anyone affected by the company's practices (US or international)

What you need: Your account details, a timeline of relevant events, and a description of the specific issue

What to expect: Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation

File a complaint →
State Attorney General

State AGs in California, New York, Texas, and other states can investigate violations of state consumer protection and privacy laws, including CCPA (California), SHIELD Act (New York), and equivalents.

Who can file: Residents of states with comprehensive privacy laws — primarily California, Virginia, Colorado, Connecticut, and Utah

What you need: Evidence of the violation, explanation of how your state rights were affected, and your account or contact information with the company

What to expect: Outcomes vary by state. May result in investigation, enforcement action, or requirement for the company to change practices. No direct individual compensation in most cases.

Search "[your state] attorney general consumer complaint" to find your state's direct complaint form

Provision details

Document information

Document

Microsoft Privacy Statement (Legacy)

Entity

Microsoft

Document last updated

March 5, 2026

Tracking information

First tracked

March 6, 2026

Last verified

March 9, 2026

Record ID

CA-P-00001001

Document ID

CA-D-00001

Evidence Provenance

Source URL

https://www.microsoft.com/en-us/privacy/privacystatement

Wayback Machine

View archived versions →

Content hash (SHA-256)

b3c85aa6a19fc8ce1bad351ae60d82fbee162cdf439701bea9f0007ce7de8bc0

Analysis generated

March 6, 2026 20:13 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Microsoft
Document: Microsoft Privacy Statement (Legacy)
Record ID: CA-P-00001001
Captured: 2026-03-06 20:13:02 UTC
SHA-256: b3c85aa6a19fc8ce…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/targeted-advertising-using-personal-data/
Accessed: June 10, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

AI and Copilot Data Use high
Collection of Health and Biometric Data high
Children's Privacy and Parental Consent high
Data Retention After Account Deletion medium
Cross-Product and Third-Party Data Sharing high
Diagnostic and Telemetry Data Collection (Windows) medium

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Microsoft's Targeted Advertising Using Personal Data clause do?

Your online behaviour across Microsoft's ecosystem is aggregated to build an advertising profile used to target you with ads, which may include data from multiple services you use.

Is ConductAtlas affiliated with Microsoft?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.