What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://account.microsoft.com/privacy', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Visit account.microsoft.com/privacy, sign in, and navigate to the data category you wish to delete or export. For a comprehensive deletion request under state privacy law, use the 'Delete' options in each category or contact Microsoft's privacy team through the contact information in their privacy statement.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'State_AG', 'reason': "State Attorneys General in California, Colorado, Virginia, Connecticut, Texas, Oregon, and other states enforce state consumer data privacy laws that give residents rights against Microsoft's data practices.", 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this U.S. State Data Privacy Rights clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar U.S. State Data Privacy Rights clauses across approximately 1 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

U.S. State Data Privacy Rights — Microsoft

Share 𝕏 Share in Share 🔒 PDF

Watch Microsoft Get alerts when this provision or policy changes.

Watch — $9.99/mo

What it is

If you live in California, Colorado, Virginia, Connecticut, or certain other US states, you have legal rights to access, correct, delete, and export your personal data, and to opt out of it being shared for advertising. Microsoft says it does not 'sell' personal data.

Why it matters (compliance & risk perspective)

State privacy laws give millions of Americans enforceable rights over their personal data that go beyond what Microsoft voluntarily offers — knowing which state you live in determines what rights you can legally demand.

Consumer impact (what this means for users)

Residents of California, Colorado, Virginia, Connecticut, Texas, Oregon, and other states with privacy laws can legally demand that Microsoft provide, correct, or delete their personal data, and can opt out of data sharing for targeted advertising — these are enforceable legal rights, not just policy promises.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Visit account.microsoft.com/privacy, sign in, and navigate to the data category you wish to delete or export. For a comprehensive deletion request under state privacy law, use the 'Delete' options in each category or contact Microsoft's privacy team through the contact information in their privacy statement.

How other platforms handle this

Slack Medium

Slack does not sell (as such term is defined in the CCPA or otherwise) the personal information we collect (and will not sell it without providing a right to opt out). We may also share personal information (in the form of identifiers and internet activity information) with third party advertisers f...

Robinhood Medium

Residents of some states may have rights with respect to their personal information, such as rights to access, delete, or correct such information and to opt out of certain processing activities. These rights do not apply where personal information is governed instead by federal financial privacy la...

OpenAI Medium

Depending on your location, you may have certain rights regarding your personal information, such as the right to access, correct, delete, or port your data. You can exercise these rights by visiting our Privacy Portal at privacy.openai.com or by emailing us at privacy@openai.com.

See all platforms with this clause type →

This clause could change without notice.

Get alerted when Microsoft updates this policy — with plain-language summaries and severity ratings.

Watch Microsoft Need compliance memos? Professional →

View original clause language

Depending on where you live, you may have certain rights with respect to your personal data. For example, residents of California, Colorado, Connecticut, Virginia, and other states may have rights to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of the sale or sharing of personal data. Microsoft does not sell personal data as defined under applicable state privacy laws. If you wish to exercise your state privacy rights, please visit our privacy dashboard or contact us as described in the 'How to contact us' section of this privacy statement.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: CCPA/CPRA (Cal. Civ. Code §1798.100–1798.199, enforced by CPPA and CA AG), Colorado Privacy Act (CPA, C.R.S. §6-1-1301, enforced by CO AG), Virginia Consumer Data Protection Act (VCDPA, Va. Code §59.1-575, enforced by VA AG), Connecticut Data Privacy Act (CTDPA, Conn. Gen. Stat. §42-515, enforced by CT AG), Texas Data Privacy and Security Act (TDPSA, Bus. & Com. Code §541.001, enforced by TX AG), Oregon Consumer Privacy Act (OCPA, ORS §646A.570, enforced by OR AG), and Montana Consumer Data Privacy Act. Each law establishes distinct rights timelines, appeal requirements, and opt-out mechanisms that must be separately operationalized.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

State AG

State Attorneys General in California, Colorado, Virginia, Connecticut, Texas, Oregon, and other states enforce state consumer data privacy laws that give residents rights against Microsoft's data practices.
File a complaint →

Applicable regulations

United States Federal

CAN-SPAM

United States Federal

FCRA

United States Federal

GDPR

European Union

GLBA

United States Federal

HIPAA

United States Federal

TCPA

United States Federal

UK GDPR

United Kingdom

Provision details

Document information

Document

Microsoft Privacy Statement (Legacy)

Entity

Microsoft

Document last updated

March 5, 2026

Tracking information

First tracked

April 9, 2026

Last verified

April 9, 2026

Record ID

CA-P-002503

Document ID

CA-D-00001

Evidence Provenance

Source URL

https://www.microsoft.com/en-us/privacy/privacystatement

Wayback Machine

View archived versions →

SHA-256

7a7aaaae65bc958b5f0f4bd77710852e41e6cfb0400ed13c15acbc6d552e2a1d

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Microsoft | Document: Microsoft Privacy Statement (Legacy) | Record: CA-P-002503
Captured: 2026-04-09 15:01:32 UTC | SHA-256: 7a7aaaae65bc958b…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/us-state-data-privacy-rights/
Accessed: May 4, 2026

Classification

Severity

Medium

U.S. State Data Privacy Rights

What it is

Why it matters (compliance & risk perspective)

Consumer impact (what this means for users)

What you can do

Institutional analysis (Compliance & legal intelligence)

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

Frequently Asked Questions