Microsoft Privacy Report

Published: April 2024



Woman spectacles laptop.

At Microsoft, we value, protect, and defend your privacy. Our approach is built on our long-standing privacy principles of user control, transparency, security, defending data from third party access, and using personal data in ways that provide meaningful benefit to you.

We are committed to protecting privacy by providing products, information, and controls that allow you to choose how your data is collected and used. From products built with privacy by design to transparent information and user controls, our goal is to empower individuals and our customers to make informed choices about their data.

As part of our commitment to privacy and transparency, the Microsoft Privacy Report is published to share the latest information on what personal data we collect, how it may be used, and how you can manage and control your information. The report also summarises key developments and trends in global privacy and how they could affect Microsoft, our customers and the global regulatory environment.

Driving AI innovation while protecting privacy

Microsoft remains committed to driving responsible AI innovation while protecting privacy and other fundamental rights. We provide transparency and choice, tools to help our customers control their data and will continue to respond to the changing privacy landscape in service of our customers and the industry overall.

Across the globe, we continue to see an acceleration of data protection and privacy regulation along with rapid advances in new kinds of technologies, like artificial intelligence, that leverage data. Our customers are interested in the latest developments in advanced AI systems and solutions that meet their unique data use and governance needs.

At Microsoft, we believe protecting privacy is fundamental to the development of advanced AI systems. We have had a principles-based AI governance structure and system across the company since 2017. Today, we have dedicated employees throughout the company and across multiple disciplines, including research, policy, and engineering, who ensure that our AI solutions meet society’s expectations and our ethical principles.

As our customers continue to expand their use of our AI solutions, we will continue to develop our solutions in alignment with our ethical principles, corporate policies, and voluntary commitments to promote safe, secure, and transparent AI. A core aspect of our efforts is our adherence to our Responsible AI Standard, which outlines specific requirements for how we develop and deploy AI systems. The standard guides our internal teams by transforming our AI principles – of fairness, reliability and safety, privacy and security, inclusiveness, transparency and accountability – into concrete engineering practises.

As part of our commitment to transparency, we describe the personal data we collect, how we use this data, and how we share this data in the Microsoft Privacy Statement. We provide a summary of recent updates in our Change History.

Microsoft has integrated Copilot into many products and services, and each one is created and deployed in alignment with our critical security, compliance and privacy policies and processes. To help people understand the capabilities of these new AI solutions and ensure transparency in our approach, Microsoft has published a variety of resources to provide more information about our approach to privacy and AI for our consumer and commercial and public sector customers. Comprehensive and transparent documentation and information helps organisations understand how our AI tools work and the choices that our customers can make which influence system performance and behaviour. Customers can find more information about Microsoft Copilot in our documentation, adoption resources, new Copilot Lab resource page, and through the Azure OpenAI Service documentation, quickstarts and API reference guides.

In addition to our internal practices, Microsoft supports global regulatory initiatives to ensure that AI is developed and used in responsible, privacy-protecting and ethical ways. In the United States, Microsoft has confirmed support for the Voluntary AI Commitments from the White House and supports the legislative efforts and vision in Europe, the UK and other jurisdictions as they work to develop risk-based frameworks that ensure people can realise the promises of AI responsibly and in ways that respect fundamental rights.

We have been at the forefront of cutting-edge research in AI and will continue to integrate powerful, innovative AI technologies into our products and services to help customers do more while preserving data privacy, transparency, and trust.

Privacy tools and resources. Learn how to control your data.

We provide tools to help you control your personal data and manage your interactions with Microsoft products and services. With the Microsoft privacy dashboard, you can view, delete, and manage your privacy settings and data collected while signed into your Microsoft account. Data that appears on the dashboard includes data from your Bing searches, Microsoft Edge browsing, location history, and use of Microsoft apps and services. Recently, we made it easier for family organisers to view and manage the activity data for connected child accounts from the privacy dashboard.

For data that is collected by Copilot in Bing, including through user queries and prompts, the Microsoft privacy dashboard provides authenticated (signed in) users with tools to exercise their data subject rights, including by providing users with the ability to view, export, and delete stored conversation history. We continue to listen to feedback on how users want to manage their Copilot and search experience, including through in-context data management experiences. Each month, the privacy dashboard has 3 million monthly active users, showing active engagement and use globally.

For our young users, Microsoft offers an immersive game-based learning adventure, Privacy Prodigy, for students aged 7-18. In this Minecraft game, players take on the challenge of protecting their data as they venture further from home, encountering scenarios that help them learn about the personal information that can be shared and what should be kept private. We believe it is important to supplement privacy tools like the dashboard with educational resources, particularly for young people as they learn to navigate the online world. Privacy prodigy is available for free in our Minecraft Education portal and in the Minecraft Marketplace.

For our commercial and public sector customers, Microsoft has a variety of enterprise-grade solutions and services that help our customers control, protect, and defend their data. For example, with the EU Data Boundary, Microsoft provides enhanced residency capabilities for processing and storing commercial and public sector customers’ personal data within the European Union.

With the Microsoft Purview and Microsoft Priva offerings, organisations can understand and govern their data estates and sensitive information. Purview capabilities include Adaptive Protection, which uses machine learning to understand how users are interacting with data and assign risk levels. Microsoft Purview can then adapt by adjusting Data Loss Prevention (DLP) controls in response to a detected risk. Microsoft Priva is an advanced solution complementing Purview, tailored for effective data estate governance and handling of sensitive information using advanced automation capabilities.

In April 2024, we announced new solutions in Priva to help customers modernise their privacy programme. The expansion of Microsoft Priva brings automated capabilities to help organisations meet adapting privacy requirements and further enables organisations to automate the management, definition and tracking of privacy operations. Learn more about how the suite of Priva solutions has expanded here.

Microsoft Entra is a cloud-based service that provides identity, data and collaboration solutions for enterprises and organisations. Microsoft has recently introduced a range of new security tools and features for the Microsoft Entra product family, aimed at helping organisations improve their security and data protection posture. With the ever-increasing sophistication of cyber-attacks, the increasing use of cloud-based services and the proliferation of mobile devices, it is essential that organisations have effective tools in place to manage their security scope.

Privacy by design. Understanding required and optional data.

For each of our core online services, we provide our customers with transparency around how we use data through a system that identifies when the personal data is used for purposes that are Required or Optional. Required data helps us keep our products secure and up to date. It also helps us fix any problems with how they work. Optional data lets us improve our products with extra features or analysis. Our customers can choose whether to share optional data with us.

We are transparent about our approach to what data we collect, how we use it, and the choices that our customers can make. We publish and update summaries for each of our core online services to help our customers understand how their data is used and to make informed choices.

Privacy in a changing world

Microsoft has long supported comprehensive privacy legislation and is committed to helping develop durable global solutions. We continue to work constructively with regulators, lawmakers, NGOs, and others at the federal and state level in the United States and around the globe to advance meaningful data protection and privacy regulation. Microsoft products and services already comply with global regulations, and we are committed to continuing to move quickly to adapt to changing regulations on behalf of our customers. We support strong, comprehensive, and interoperable privacy and data protection laws globally.

As privacy and data protection laws advance and norms and requirements evolve across the globe, Microsoft will adapt to ensure our products and services continue to be compliant and to provide assurances and support for our customers. Recently, there has been significant momentum in state-level privacy laws in the US and new regulations, decrees and case law in the European Union, India, Japan, South Korea, Vietnam and other jurisdictions that, in some cases, may change requirements for organisations such as Microsoft.

The trusted cross-border flow of data continues to be a priority issue for governments and organisations. Microsoft was one of the first US organisations to be certified against the EU-US Data Privacy Framework (DPF), a mechanism that enables the transfer of personal data from the European Union to the United States in compliance with EU law. We have committed to meeting or exceeding all the requirements of the EU-U.S. Data Privacy Framework, the UK Extension of the EU-U.S. DPF, and the Swiss-U.S. DPF, including updating our notices to our customers and employees.

In the United States, we have seen significant momentum in the privacy landscape, marked by bipartisan support for the Americans Privacy Rights Act. This act represents progress toward enacting a federal privacy law through Parliament. Microsoft has long advocated for federal privacy protections in the United States and supports the note, recognising its potential to provide businesses with clear guidelines and individuals with robust protections. Additionally, the U.S. House of Representatives passed the Protecting Americans’ Data from Foreign Adversaries Act, marking the first data privacy note approved by a Congressional chamber in recent years. At the state level, there are more than a dozen states with comprehensive privacy laws that set out holistic approaches to protecting the privacy of consumers’ personal data. A number of states have also passed protections for children’s data and health data. Washington’s My Health My Data Act, focuses on personal health data not covered by HIPAA. It creates strict controls on the collection of health data and sets forth rights and restrictions for businesses, including Microsoft. With most provisions set to take effect by March 31, 2024, the law introduces rigorous controls over consumer health data management, such as consent requirements, rights to data control, and geofencing restrictions.

Globally, comprehensive privacy laws continue to be adopted, including India’s Digital Personal Data Protection Act, which we believe offers strong protections to personal data while enabling innovation and digital development in the region. Regulators and lawmakers around the world including in Korea, Japan, and the UK continue to update laws to regulate the flow of data and introduce privacy provisions in regulations that address new technologies, like AI.

At Microsoft, privacy and safety go hand in hand. Among the major developments globally is the European Union’s Digital Services Act (DSA) – a far reaching piece of legislation designed to keep users safe online. Microsoft has made a number of updates to its services in support of the compliance requirements for the DSA. To learn more about Microsoft’s approach to Digital Safety, please visit: https://www.microsoft.com/DigitalSafety.

Learn more about Microsoft reports

Microsoft remains committed to on-going engagement and improvement as we continue to navigate this new era of innovation and regulation. We will continue to be guided by our principles and mature data governance model inside and outside the company. We will also continue to share learnings to help our customers in their efforts to protect privacy and ensure the responsible stewardship of data. In addition to this Privacy Report, we offer a comprehensive overview of our efforts to nurture digital trust in our Reports Hub. Microsoft publishes regular reports, including metrics on how Microsoft responds to government and law enforcement requests for user data and content removal. In October 2023, the Bing EU Digital Services Act Report was added to the Reports Hub, where we publish these other reports:



Tell us how we are doing!

Contact the Microsoft privacy team with your feedback about this Privacy Report.