Overview

The California Consumer Privacy Act of 2018 (“CCPA”) became effective on January 1, 2020 and created a variety of privacy rights for California consumers. In November 2020, California amended the CCPA, effective January 1, 2023. Additionally, Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023) have passed laws extending similar privacy rights to their consumers. We use this notice to make disclosures required by these state laws.

Please note that the rules implementing some of these laws have not yet been finalized. We are continuously working to better comply with these laws, and we will update our processes, disclosures, and this notice as these implementing rules are finalized.

This notice includes the following parts:

  • Transparency: We are transparent about how your personal information is collected, used, disclosed, shared, and sold.
  • Control: We put you in control of your personal information, including accessing, correcting, and deleting your personal information.
  • Benefits to You: We use your personal information to benefit you and to make your experiences better.

To learn more about Microsoft’s privacy principles, visit privacy.microsoft.com.

Transparency

What Personal Information We Collect and Use

You have the right to know what kinds of personal information Microsoft collects, how we obtain and use that information, and our business purposes for that collection.

In the bulleted list below, we outline the categories of personal information we collect, the sources of the personal information, our purposes of processing, and the categories of recipients with whom we provide the personal information.

Please see the Personal data we collect and the U.S. State Data Privacy sections on our privacy statement for more information. Please see the Our retention of personal data section of our privacy statement for information on personal data retention criteria.

Categories of Personal Data

  • Name and contact data
    • Sources of personal data: Interactions with users and partners with whom we offer co-branded services
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; respond to customer questions; help, secure, and troubleshoot; and marketing
    • Recipients: Service providers and user-directed entities
  • Credentials
    • Sources of personal data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; authentication and account access; and help, secure and troubleshoot
    • Recipients: Service providers and user-directed entities
  • Demographic data
    • Sources of personal data: Interactions with users and purchases from data brokers
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide and personalize our products; product development; help, secure, and troubleshoot; and marketing
    • Recipients: Service providers and user-directed entities
  • Payment data
    • Sources of personal data: Interactions with users and financial institutions
    • Purposes of Processing (Collection and Disclosure to Third Parties): Transact commerce; process transactions; fulfill orders; help, secure, and troubleshoot; and detect and prevent fraud
    • Recipients: Service providers and user-directed entities
  • Interactions
    • Sources of personal data: Interactions with users including data Microsoft generates through those interactions
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide and personalize our products; product improvement; product development; marketing; and help, secure and troubleshoot
    • Recipients: Service providers and user-directed entities
  • Content
    • Sources of personal data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; safety; and help, secure, and troubleshoot
    • Recipients: Service providers and user-directed entities
  • Video or recordings
    • Sources of personal data: Interactions with users and publicly available sources
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; marketing; help, secure, and troubleshoot; and safety
    • Recipients: Service providers and user-directed entities
  • Feedback and ratings
    • Sources of personal data: Interactions with users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; customer support; and help, secure, and troubleshoot
    • Recipients: Service providers and user-directed entities

Subject to your privacy settings, and depending on the products you use and your choices, we may collect, process, or disclose certain personal information that qualifies as “sensitive data” under applicable U.S. state data privacy laws. Sensitive data is a subset of personal information. In the list below, we outline the categories of sensitive data we collect, the sources of the sensitive data, our purposes of processing, and the categories of third party recipients to whom we disclose the sensitive data. Please see the Personal data we collect section of our privacy statement for more information about the sensitive data we may collect.

Categories of Sensitive Data

  • Account log-in, financial account, debit or credit card number, and the means to access the account (security or access code, password, credentials, etc.)
    • Sources of sensitive data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide the product and fulfill requested financial transactions
    • Recipients: Service providers and payment processing providers
  • Precise geo-location information
    • Sources of sensitive data: Users’ interactions with the products
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide the service requested; product improvement; some attributes may be disclosed to third parties to provide the service
    • Recipients: Users and service providers (please see the Windows Location Services and Recording section of our privacy statement for more information)
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership
    • Sources of sensitive data: Communications with users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Conduct research studies to better understand how our products are used and perceived and for the purposes of improving the product experiences
    • Recipients: Service providers
  • Medical or mental health, sex life, or sexual orientation
    • Sources of sensitive data: Communications with users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Conduct research studies to better understand how our products are used and perceived and for the purposes of improving the product experiences and accessibility
    • Recipients: Service providers
  • Contents of your mail, email, or text messages (where Microsoft is not the intended recipient of the communication)
    • Sources of sensitive data: Users’ interactions with the products
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; improve the product experience; safety; and help, secure, and troubleshoot
    • Recipients: Service providers
  • Personal data collected from a known child under 13 years of age
    • Sources of sensitive data: Interactions with users and organizations that represent users
    • Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; recommendations; help, secure, and troubleshoot; and safety
    • Recipients: Service providers and user-directed entities (in accordance with your Microsoft Family Safety settings)

While the bulleted list above contains the primary sources and purposes of processing for personal information collected from children under 13, we also collect personal information from the sources listed in the Collection of Data from children section of our privacy statement.

We make this information available to consumers in the Personal data we collect and the U.S. State Data Privacy sections of our privacy statement.

How We Share Your Personal Information

You have the right to know if your personal information is provided to third parties. We may provide personal information to have our Service Providers, as defined by the CCPA, perform services specified by written contract. In addition, we may disclose personal information to third parties for other notified purposes, as permitted by U.S. state data privacy laws.

We make this information available to consumers in the Reasons we share personal data and the U.S. State Data Privacy sections in our privacy statement.

Sharing and personalized ads. We may “share” your personal information with third parties for personalized advertising purposes, as defined under California and other applicable U.S. state laws. “Personalized advertising” in this context means advertisements we believe will be more interesting and useful to you based on your data, including your searches, site visits, and topics you often explore and personal information collected by Microsoft. Third parties may use the data we’ve shared with them to show you personalized ads. Learn more about how to opt out of sharing.

In the bulleted list below, we outline the categories of data we share for personalized advertising purposes, the recipients of the personal data, and our purposes of processing. For a description of the data included in each category, please see the Personal data we collect section of our privacy statement.

Categories of Personal Data

  • Name and contact data
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests
  • Demographic data
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests
  • Subscription and licensing data
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests
  • Interactions
    • Recipients: Third parties that perform online advertising services for Microsoft
    • Purposes of Processing: To deliver personalized advertising based on your interests

As noted in our Advertising section of our privacy statement, we do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 18 years of age. Please also see the Advertising section for more information about our advertising practices.

We Do Not Sell Your Personal Information

You have the right to know whether your personal information is being sold. Your personal information is “sold” when it is provided with a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other U.S. state data privacy laws. Please note a “sale” does not include when we disclose your personal information at your direction, or when otherwise permitted under law.

Microsoft does not sell your personal information.

Control

Right to Know, Right to Correct, Right to Receive, Right to Delete

You have the right to:

  • Know what specific pieces of personal information Microsoft has collected and retained about you over the previous 12 months.
  • Correct inaccurate personal information Microsoft may have retained.
  • Receive a copy of your personal information.
  • Delete your personal information.

Microsoft makes it easy for you to exercise your rights. Using your privacy dashboard, you can log into your Microsoft account and view, download, or delete the specific pieces of personal information we have collected.

It is important to note that a valid login is required to access or delete personal information associated with a Microsoft account. This safeguard is in place to protect the security of consumers and their data.

If you do not have a Microsoft account, have a more detailed privacy inquiry, or wish to appeal, you can submit a request to our privacy support team via our web form or call our U.S. toll free number +1 (844) 931 2038. If you use an authorized agent, we provide your agent with detailed guidance on how to exercise your privacy rights. In some situations, we may ask you for more information to help us fulfill your request.

Right to Limit Use of Sensitive Personal Information

Subject to your privacy settings, and depending on the products you use and your choices, we may collect, process, or disclose certain personal information that qualifies as “sensitive data” under applicable U.S. state data privacy laws. Sensitive data is a subset of personal information.

You have the right to limit the use or disclosure of your sensitive data to the following types of activities, in accordance with applicable U.S. state data privacy laws:

  • Perform the services or provide the goods you reasonably expect
  • Help ensure the security and integrity of our services, systems, and data, to combat malicious deceptive, fraudulent or illegal acts, and to protect the physical safety of individuals, to the extent the processing is reasonably necessary and proportionate
  • For short-term transient use (including non-personalized advertising), so long as the personal data is not disclosed to a third party, is not used for profiling, and is not used to alter an individual’s experience outside the current interaction with Microsoft
  • Perform services on behalf of Microsoft, such as maintaining accounts, providing customer service, processing, or fulfilling orders/transactions, verifying customer information, processing payments, providing financing, providing analytics, providing storage, and similar services
  • Undertake activities to verify or maintain the quality or safety of, or improve, upgrade, or enhance a service or device owned or controlled by Microsoft
  • Collect or process sensitive data where the collection or processing is not for inferring characteristics about the individual
  • Any other activities in accordance with any future regulations that are issued pursuant to U.S. state data privacy laws

We do not use or disclose your sensitive data for purposes other than those listed above and permitted under applicable U.S. state data privacy laws. So, we do not offer an ability to limit the use of sensitive data.

Right to Opt-out of “Sale” or “Sharing"

Microsoft does not sell your personal information, so we do not offer an opt out. Microsoft may “share” personal information with third parties for personalized advertising purposes. You may indicate your choice to opt-out of the sharing of your personal data with third parties for personalized advertising on third party sites by visiting our sharing opt-out page.

Even if you turn off “sharing,” you may still see personalized ads based on information other companies and ad networks have collected about you, if you have not opted out of sharing with them.

Benefits to You

Financial Incentives

The CCPA and other U.S. state data privacy laws allow businesses to offer consumers financial incentives for sharing personal information. For example, a business can offer a rewards program or provide a premium service to consumers as compensation for their personal information. Where Microsoft offers these programs, your participation is optional. If you choose to participate, your participation will be subject to any applicable terms, and you may withdraw at any time.

Non-Discrimination

U.S. state privacy laws prohibit businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying a good or service, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.

Disclosure of privacy rights requests

The CCPA requires businesses to disclose the number of requests received, complied with in whole or in part, or denied. We give our customers control over their data through the Microsoft privacy dashboard, which receives millions of requests from customers globally to view and delete data. Requests to view and delete personal data on the Privacy dashboard are fulfilled immediately. Requests to view, export, and delete personal data are fulfilled within 30 days through the various tools Microsoft provides.

Requests to view and delete personal data

Year

Requests to know from CA consumers through the Microsoft privacy dashboard and Privacy Response Center

Requests to delete from CA consumers through the Microsoft privacy dashboard and Privacy Response Center

2020

2,951,350

2,846,684

2021

1,969,607

1,727,758


We determine whether someone is a California consumer by (1) IP address for the Privacy Dashboard and (2) whether they mention CCPA in their request for the Privacy Response Center.

We do not sell and therefore do not offer an opt-out to the sale of personal information.

Certain data may not be provided or may be retained according to the Microsoft Privacy Statement, for example, to comply with applicable laws.