Xbox Privacy Statement

Xbox
Last updated March 24, 2026 Privacy policy
+ Watch this document
8 Total
3 High severity
5 Medium severity
0 Low severity
Summary

This is Microsoft's main privacy policy covering all Microsoft products including Xbox consoles, Xbox Game Pass, and Xbox Live — it explains what personal data Microsoft collects about you and how it is used. The most important thing to know is that Microsoft collects a wide range of data including your voice recordings, location, gaming activity, payment information, and inferences about your interests, and may use this data to train AI models and serve targeted advertising. You can manage your privacy settings and review data Microsoft holds about you by visiting your Microsoft Privacy Dashboard at account.microsoft.com/privacy.

Technical Summary

This document is the Microsoft Privacy Statement, which governs the collection, use, and sharing of personal data across all Microsoft products and services including Xbox, operating under legal bases including consent, contractual necessity, and legitimate interests as applicable across jurisdictions including the EU (GDPR), US states (CCPA/CPRA), and other global regimes. The statement obligates Microsoft to disclose categories of data collected (including name, contact information, payment data, usage data, voice data, location data, and inferences), purposes of processing, and data subject rights including access, deletion, portability, correction, and opt-out of certain processing. Notable provisions include the broad collection of biometric-adjacent data (voice and handwriting), cross-product data sharing within the Microsoft corporate family, the use of personal data to train AI and productivity features, and the retention of data for extended periods tied to business purposes rather than collection purpose. The statement engages GDPR (EU 2016/679), CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), COPPA (15 U.S.C. §6501), Washington My Health MY Data Act, and state biometric privacy laws; material compliance considerations include the adequacy of consent mechanisms for AI training data use, the sufficiency of parental consent controls for Xbox minors, and cross-border data transfer mechanisms including Standard Contractual Clauses. The document's scope across Xbox, Windows, Microsoft 365, Bing, Cortana, and Azure creates compounded regulatory exposure requiring product-specific data mapping and jurisdiction-specific consent frameworks.

Institutional Analysis

REGULATORY EXPOSURE: This document engages GDPR (EU 2016/679, Arts. 5, 6, 9, 13, 14, 17, 20) enforced by EU DPAs and the Irish Data Protection Commission as Microsoft's EU lead supervisory authority;…

REGULATORY EXPOSURE: This document engages GDPR (EU 2016/679, Arts. 5, 6, 9, 13, 14, 17, 20) enforced by EU DPAs and the Irish Data Protection Commission as Microsoft's EU lead supervisory authority; CCPA/CPRA (Cal. Civ. Code §1798.100–1798.199) enforced by the California Privacy Protection Agency …

🔒

Compliance intelligence locked

Regulatory exposure, material risk, and due diligence action items.

Evidence Provenance
Captured April 1, 2026 06:04 UTC
Document ID CA-D-000018
Version ID CA-V-000408
Source URL https://privacy.microsoft.com/en-us/privacystatement
Wayback Machine View archived versions →
SHA-256 9747780db9713278eb767f30b62e22d28d9779dfd8af583372a209ed3f6f92c8
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed
Change Timeline
Analyzed Changes

2 changes analyzed since monitoring began.

Updated April 1, 2026

medium
What changed Xbox updated their Xbox Privacy Statement on April 01, 2026. Change detected: 1 sentence(s) added, 11 sentence(s) removed, 9 sentence(s) modified. Document contained 2296 sentences after update.
Consumer impact Xbox has rewritten its data retention policy to use broader, less specific language about how long it holds your personal data. Previously, the policy spelled out concrete criteria — like whether you had a dashboard control to delete data or whether a specific retention period had been announced — which gave users clearer expectations. The new language replaces these specifics with general categories, potentially giving Xbox more discretion over how long it retains your information. You can visit the Microsoft privacy dashboard to review and delete personal data associated with your account.
Why it matters Xbox has replaced specific, concrete data retention rules with vague general criteria, giving itself more flexibility in how long it keeps your personal data. This makes it harder for users and regulators to hold Xbox accountable to specific retention limits.

Updated March 13, 2026

medium
What changed Microsoft updated their Microsoft Privacy Statement on March 13, 2026. Change detected: 1 sentence(s) added, 1 sentence(s) modified. Document contained 2306 sentences after update.
Consumer impact If you have ever given Microsoft your phone number and consented to marketing communications, this update clarifies that Microsoft may now contact you using automated dialers or AI-generated prerecorded voice messages. This expands the types of automated outreach Microsoft can use, moving beyond traditional robocalls to include AI-synthesized voice. You can review and withdraw your marketing communication consent in your Microsoft account settings to avoid receiving these calls.
Why it matters Microsoft is now explicitly reserving the right to use AI-generated voice and auto-dialers for marketing calls, which is a meaningful expansion of how your phone number can be used. Under federal law, this type of outreach requires a specific and informed level of consent that general marketing opt-ins may not satisfy.
High Severity — 3 provisions
Medium Severity — 5 provisions