Skip to main content

Microsoft Privacy Report

At Microsoft, we believe that privacy is a fundamental human right that requires a commitment to provide robust data protection for every individual and organization. We live up to this commitment by providing products, information, and controls that allow you to choose how data is collected and used. Read on to learn more about how we collect personal data, the controls that you have over that data, and other privacy updates that enable you to make informed choices.

About this report

Microsoft is committed to empowering our commercial and consumer customers to make the choices that work best for them. To that end, we will publish an update on our privacy work twice a year. This update, published in December of 2019, is our inaugural privacy report. It covers the work that we are doing to classify personal data collection collected from devices as Required or Optional, highlights our delivery of Data Subject Rights like the rights to access and delete personal data, and provides some thoughts on privacy trends you should be aware of.

Personal data collection

Microsoft is always looking to give you increased transparency, understanding, and control over your data. As part of this work, we are moving our major products and services to a more unified model where the categories of personal data collected from customer devices is classified as either required or as optional. We believe this model will provide you with a simpler experience – information should be easier to find, easier to understand, and easier to act on through the tools we provide.

Data in the required category is data that enables our products and services to work as expected and to keep them up to date, secure, and performing properly. Required data includes things like the terms of a search query so we can return relevant search results, the IP address, type and version of your device so that we can provide connectivity to our cloud services and security patches that keep your experience safe and secure, and diagnostic data so that we can detect significant feature failures.

In some cases, you can control whether required data is collected by deciding whether to use the product features or functions that depend on that required data. For example, if an enterprise customer uses Office 365 with document storage and collaboration in the cloud, we will collect the data required to keep an employee’s documents secure and synced across all her devices. We focus on creating controls over features and functions that make sense for you and are always open to feedback on what might work better. We are working on providing additional configuration options that will give you more control over the collection of data that’s required for certain features or functions.

Data in the optional category is not essential to the product or service experience, and you can control the collection of optional data independently from choosing to use specific product features or functions. We enable you to decide whether to allow such collection at product setup for our major products and services. We also make it easier for you to change your mind about optional data collection after the initial product setup on your devices. Examples of optional data include data we collect about the pictures you are inserting into Word documents to provide better image options and about the time it takes for a PowerPoint slide to appear on your screen so we can improve the experience if it’s slow. We think there are compelling reasons for people to share this optional data, because it makes it easier for us to troubleshoot issues and creates the opportunity for new or improved experiences. But we want you to understand what’s happening and to have the opportunity to make this choice for yourself.

Click on the services below to see a summary of their data collection practices. Note that, while this report will be published twice per year, the summaries linked below may change more often as new service updates become available. In addition, you can expect to see additional services like Xbox and Dynamics added in future reports.

              
Office              Windows

Data Subject Rights

Data Subject Rights, or DSRs, are one of the cornerstones of the EU’s General Data Protection Regulation (GDPR) and other domestic and international privacy laws. DSRs help provide transparency and control by allowing individuals to view, export, delete, and control their personal data.

More than more than 28 million people around the world – including about 10.3 million people in the United States – have used our privacy dashboard to understand and control their personal data. By being transparent about the data we collect and how we use it, the dashboard allows our customers to see the data we’ve collected, export data that they want to keep or port to another service, and delete information that they no longer want Microsoft to have.


Over a six-month period from May through October of 2019, we’ve had over 7.7 million people use the dashboard to exercise their rights. In that time, the following markets had the most unique visitors:


California Consumer Privacy Act

The United States has long had strong federal privacy laws focused on sensitive data like health and financial information. Recently we have begun to see the rise of more comprehensive state privacy laws such as the California Consumer Privacy Act (CCPA). Under CCPA, which goes into effect on January 1, 2020, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. In 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s GDPR to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all of our customers in the U.S. While many of our customers and users will find that the protections we already offer them through our GDPR commitment will be stronger than those rights and protections offered by the new California law, we are committed to supporting states as they enact laws that increase privacy protection in the U.S. Visit our CCPA page to learn more.

In addition, we are working closely with our enterprise customers to help them comply with CCPA. Companies doing business in the EU are likely subject to the GDPR and thus should already be prepared to extend DSRs. But, for many commercial customers based in the U.S., aspects of CCPA compliance may be new or challenging. Commercial customers should visit the CCPA overview page to learn how Microsoft can help your organization protect your customers’ data and meet the requirements of CCPA.

Clarification of Processor obligations under our Online Service Terms

Microsoft has been working on improving our transparency and protections for our commercial customers as well. We have recently announced updates to our Online Services Terms (OST) in our commercial Cloud contracts as a direct result of feedback we’ve heard from our customers. The work clarifies that Microsoft takes on heightened, controller responsibilities for certain administrative and operational purposes in our Cloud services. Visit our blog to learn more about the specific details of these changes.

Other resources

Thank you for taking the time to read Microsoft’s inaugural privacy report. If you would like to learn more about privacy at Microsoft, please visit the following resources:

In addition to this report, you may also be interested in our transparency report regarding Law Enforcement Requests. To find additional reports about important topics like human rights and sustainability, please visit the Microsoft Transparency Hub.