U.S. State Data Privacy Laws Notice

Last Updated: July 2023

Overview

The California Consumer Privacy Act of 2018 (“CCPA”) became effective on January 1, 2020 and created a variety of privacy rights for California consumers. In November 2020, California amended the CCPA, effective January 1, 2023. Additional states have passed laws extending similar privacy rights to their consumers, including Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023). We use this notice to make disclosures required by these state laws. Please also see our Washington State Consumer Health Data Privacy Policy for disclosures related to the Washington State My Health My Data Act (“MHMDA”).

Please note that the rules implementing some of these laws have not yet been finalized. We are continuously working to better comply with these laws, and we will update our processes, disclosures, and this notice as these implementing rules are finalized.

This notice includes the following parts:

  • Transparency: We are transparent about how your personal information is collected, used, disclosed, shared, and sold.
  • Control: We put you in control of your personal information, including accessing, correcting, and deleting your personal information.
  • Benefits to You: We use your personal information to benefit you and to make your experiences better.

To learn more about Microsoft’s privacy principles, visit privacy.microsoft.com.

Transparency

What Personal Information We Collect and Use

You have the right to know what kinds of personal information Microsoft collects, how we obtain and use that information, and our business purposes for that collection.

In the bulleted list below, we outline the categories of personal information we collect, the sources of the personal information, our purposes of processing, and the categories of recipients with whom we provide the personal information.

Please see the Personal data we collect and the U.S. State Data Privacy sections on our privacy statement for more information. Please see the Our retention of personal data section of our privacy statement for information on personal data retention criteria.

Categories of Personal Data

  • Name and contact data
    • Sources of personal data: Interactions with users and partners with whom we offer co-branded services
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; respond to customer questions; help, secure, and troubleshoot; and marketing
    • Recipients: Service providers and user-directed entities
  • Credentials
    • Sources of personal data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; authentication and account access; and help, secure and troubleshoot
    • Recipients: Service providers and user-directed entities
  • Demographic data
    • Sources of personal data: Interactions with users and purchases from data brokers
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide and personalize our products; product development; help, secure, and troubleshoot; and marketing
    • Recipients: Service providers and user-directed entities
  • Payment data
    • Sources of personal data: Interactions with users and financial institutions
    • Purposes of Processing (Collection and Disclosure to Third Parties): Transact commerce; process transactions; fulfill orders; help, secure, and troubleshoot; and detect and prevent fraud
    • Recipients: Service providers and user-directed entities
  • Interactions
    • Sources of personal data: Interactions with users including data Microsoft generates through those interactions
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide and personalize our products; product improvement; product development; marketing; and help, secure and troubleshoot
    • Recipients: Service providers and user-directed entities
  • Content
    • Sources of personal data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; safety; and help, secure, and troubleshoot
    • Recipients: Service providers and user-directed entities
  • Video or recordings
    • Sources of personal data: Interactions with users and publicly available sources
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; marketing; help, secure, and troubleshoot; and safety
    • Recipients: Service providers and user-directed entities
  • Feedback and ratings
    • Sources of personal data: Interactions with users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; customer support; and help, secure, and troubleshoot
    • Recipients: Service providers and user-directed entities

Subject to your privacy settings, your consent, and depending on the products you use and your choices, we may collect, process, or disclose certain personal information that qualifies as “sensitive data” under applicable U.S. state data privacy laws. Sensitive data is a subset of personal information. In the list below, we outline the categories of sensitive data we collect, the sources of the sensitive data, our purposes of processing, and the categories of third party recipients to whom we disclose the sensitive data. Please see the Personal data we collect section of our privacy statement for more information about the sensitive data we may collect.

Categories of Sensitive Data

  • Account log-in, financial account, debit or credit card number, and the means to access the account (security or access code, password, credentials, etc.)
    • Sources of sensitive data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide the product and fulfill requested financial transactions
    • Recipients: Service providers and payment processing providers
  • Precise geo-location information
    • Sources of sensitive data: Users’ interactions with the products
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide the service requested; product improvement; some attributes may be disclosed to third parties to provide the service
    • Recipients: Users and service providers (please see the Windows Location Services and Recording section of our privacy statement for more information)
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership
    • Sources of sensitive data: Communications with users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Conduct research studies to better understand how our products are used and perceived and for the purposes of improving the product experiences
    • Recipients: Service providers
  • Medical or mental health, sex life, or sexual orientation
    • Sources of sensitive data: Communications with users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Conduct research studies to better understand how our products are used and perceived and for the purposes of improving the product experiences and accessibility
    • Recipients: Service providers
  • Contents of your mail, email, or text messages (where Microsoft is not the intended recipient of the communication)
    • Sources of sensitive data: Users’ interactions with the products
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; improve the product experience; safety; and help, secure, and troubleshoot
    • Recipients: Service providers
  • Personal data collected from a known child under 13 years of age
    • Sources of sensitive data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; recommendations; help, secure, and troubleshoot; and safety
    • Recipients: Service providers and user-directed entities (in accordance with your Microsoft Family Safety settings)

While the bulleted list above contains the primary sources and purposes of processing for personal information collected from children under 13, we also collect personal information from the sources listed in the Collection of Data from children section of our privacy statement.

We make this information available to consumers in the Personal data we collect and the U.S. State Data Privacy sections of our privacy statement.

How We Share Your Personal Information

You have the right to know if your personal information is provided to third parties. We may provide personal information to have our Service Providers, as defined by the CCPA, perform services specified by written contract. In addition, we may disclose personal information to third parties for other notified purposes, as permitted by U.S. state data privacy laws.

We make this information available to consumers in the Reasons we share personal data and the U.S. State Data Privacy sections in our privacy statement.

"Sharing" and personalized ads. We may “share” your personal information with third parties for personalized advertising purposes, as defined under California and other applicable U.S. state laws. “Personalized advertising” in this context means advertisements we believe will be more interesting and useful to you based on your data, including your searches, site visits, and topics you often explore and personal information collected by Microsoft. Third parties may use the data we’ve shared with them to show you personalized ads. Learn more about how to opt out of sharing.

In the bulleted list below, we outline the categories of data we share for personalized advertising purposes, the recipients of the personal data, and our purposes of processing. For a description of the data included in each category, please see the Personal data we collect section of our privacy statement.

Categories of Personal Data

  • Name and contact data
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests
  • Demographic data
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests
  • Subscription and licensing data
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests
  • Interactions
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests

As noted in our Advertising section of our privacy statement, we do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 18 years of age. Please also see the Advertising section for more information about our advertising practices.

We Do Not Sell Your Personal Information

You have the right to know whether your personal information is being sold. Your personal information is “sold” when it is provided with a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other U.S. state data privacy laws. Please note a “sale” does not include when we disclose your personal information at your direction, or when otherwise permitted under law.

Microsoft does not sell your personal information.

Control

Right to Know, Right to Correct, Right to Receive, Right to Delete

You have the right to:

  • Know what specific pieces of personal information Microsoft has collected and retained about you over the previous 12 months.
  • Correct inaccurate personal information Microsoft may have retained.
  • Receive a copy of your personal information.
  • Delete your personal information.

Microsoft makes it easy for you to exercise your rights. Using your privacy dashboard, you can log into your Microsoft account and view, download, or delete the specific pieces of personal information we have collected.

It is important to note that a valid login is required to access or delete personal information associated with a Microsoft account. This safeguard is in place to protect the security of consumers and their data.

If you do not have a Microsoft account or have a more detailed privacy inquiry, you can submit a request to our privacy support team via our web form or call our U.S. toll free number +1 (844) 931 2038. If you use an authorized agent, we provide your agent with detailed guidance on how to exercise your privacy rights. In some situations, we may ask you for more information to help us fulfill your request.

If you have made a request to Microsoft to know, correct, receive, or delete your personal information and believe your request was denied by Microsoft, you can exercise your right to appeal the results of your request by contacting our privacy support team via our web form. If your appeal is unsuccessful and depending upon the state where you live, you may have the right to raise a concern or lodge a complaint with your state attorney general.

Right to Limit Use of Sensitive Personal Information

Subject to your privacy settings, your consent, and depending on the products you use and your choices, we may collect, process, or disclose certain personal information that qualifies as “sensitive data” under applicable U.S. state data privacy laws. Sensitive data is a subset of personal information.

You have the right to limit the use or disclosure of your sensitive data to the following types of activities, in accordance with applicable U.S. state data privacy laws:

  • Perform the services or provide the goods you reasonably expect
  • Help ensure the security and integrity of our services, systems, and data, to combat malicious deceptive, fraudulent or illegal acts, and to protect the physical safety of individuals, to the extent the processing is reasonably necessary and proportionate
  • For short-term transient use (including non-personalized advertising), so long as the personal data is not disclosed to a third party, is not used for profiling, and is not used to alter an individual’s experience outside the current interaction with Microsoft
  • Perform services on behalf of Microsoft, such as maintaining accounts, providing customer service, processing, or fulfilling orders/transactions, verifying customer information, processing payments, providing financing, providing analytics, providing storage, and similar services
  • Undertake activities to verify or maintain the quality or safety of, or improve, upgrade, or enhance a service or device owned or controlled by Microsoft.
  • Collect or process sensitive data where the collection or processing is not for inferring characteristics about the individual
  • Any other activities in accordance with any future regulations that are issued pursuant to U.S. state data privacy laws

We do not use or disclose your sensitive data for purposes other than those listed above, without your consent, or as permitted or required under applicable laws. So, we do not offer an ability to limit the use of sensitive data.

Right to Opt-out of “Sale” or “Sharing"

Microsoft does not sell your personal information, so we do not offer an opt out. Microsoft may “share” personal information with third parties for personalized advertising purposes. You may indicate your choice to opt-out of the sharing of your personal data with third parties for personalized advertising on third party sites by visiting our sharing opt-out page.

Even if you turn off “sharing,” you may still see personalized ads based on information other companies and ad networks have collected about you, if you have not opted out of sharing with them.

Benefits to You

Financial Incentives

The CCPA and other U.S. state data privacy laws allow businesses to offer consumers financial incentives for sharing personal information. For example, a business can offer a rewards program or provide a premium service to consumers as compensation for their personal information. Where Microsoft offers these programs, your participation is optional. If you choose to participate, your participation will be subject to any applicable terms, and you may withdraw at any time.

Non-Discrimination

U.S. state privacy laws prohibit businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying a good or service, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.

Disclosure of privacy rights requests

The CCPA requires businesses to disclose the number of requests received, complied with in whole or in part, or denied. We give our customers control over their data through the Microsoft privacy dashboard, which receives millions of requests from customers globally to view and delete data. Requests to view and delete personal data on the Privacy dashboard are fulfilled immediately. We also provide a web form for customers to contact our privacy team, the Privacy Response Center, for additional support. Requests to view, export, and delete personal data are fulfilled within 30 days through the various tools Microsoft provides.

Requests to view and delete personal data

Year

Requests to know from CA consumers through the Microsoft privacy dashboard and Privacy Response Center

Requests to delete from CA consumers through the Microsoft privacy dashboard and Privacy Response Center

2020

2,951,350

2,846,684

2021

1,969,607

1,727,758

2022

1,119,654

780,807


We determine whether someone is a California consumer by (1) IP address for the Privacy Dashboard and (2) whether they mention CCPA in their request for the Privacy Response Center.

Seventeen requests were denied in 2022 due to an inability to verify the request. Two of these were requests to know, and 15 were requests to delete.

The average response time to complete received requests was less than one day. Our privacy team responded to requests from California consumers submitted through our privacy webform with an average of 3 days for access and 4 days for deletion in 2022.

Certain data may not be provided or may be retained according to the Microsoft Privacy Statement, for example, to comply with applicable laws.

This notice is updated annually. As of July 2023, we updated the metrics for requests related to the right to know and delete for the period from January until December 2022.

Recent changes to the CCPA added new privacy rights for California consumers effective January 1, 2023, including the right to correct, and the right to opt-out of “sharing” of personal information with third parties for personalized advertising purposes. These rights were not in effect during the period from January through December 2022, so numbers of requests related to these rights are not reflected in the current notice.

As noted above, we do not sell personal information, and do not use or disclose your sensitive data for purposes other than those listed above, without your consent, or as permitted or required under applicable laws. Therefore, we do not offer consumers a way to opt-out of the sale of their personal information or limit the use of their sensitive data.