U.S. State Data Privacy Laws Notice
Last Updated: September 2024
Overview
The California Consumer Privacy Act of 2018 (“CCPA”) became effective on January 1, 2020, and created a variety of privacy rights for California consumers. Since that time California has amended the CCPA, and additional states have passed laws extending similar privacy rights to their consumers. We use this notice to make disclosures required by these state laws, in addition to information we provide on the Microsoft Privacy Statement. Please also see our Consumer Health Data Privacy Policy for disclosures related to applicable state consumer health privacy laws.
Please note that rules implementing some of these laws have not yet been finalized. We will update our processes, disclosures, and this notice as these implementing rules are finalized, and as otherwise necessary.
This notice includes the following parts:
- Transparency: We are transparent about how your personal information is collected, used, disclosed, shared, and sold.
- Control: We put you in control of your personal information, including accessing, correcting, and deleting your personal information.
- Benefits to You: We use your personal information to benefit you and to make your experiences better.
To learn more about Microsoft’s privacy principles, visit microsoft.com/privacy.
Transparency
What Personal Information We Collect and Use
You have the right to know what kinds of personal information Microsoft collects, how we obtain and use that information, and our business purposes for that collection.
In the bulleted list below, we outline the categories of personal information we collect, the sources of the personal information, our purposes of processing, and the categories of recipients with whom we provide the personal information.
Please see the Personal data we collect and the U.S. State Data Privacy sections on our privacy statement for more information. Please see the Our retention of personal data section of our privacy statement for information on personal data retention criteria.
Categories of Personal Data
- Name and contact data
- Sources of personal data: Interactions with users and partners with whom we offer co-branded services
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; respond to customer questions; help, secure, and troubleshoot; and marketing
- Recipients: Service providers and user-directed entities
- Credentials
- Sources of personal data: Interactions with users and organizations that represent users
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; authentication and account access; and help, secure and troubleshoot
- Recipients: Service providers and user-directed entities
- Demographic data
- Sources of personal data: Interactions with users and purchases from data brokers
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide and personalize our products; product development; help, secure, and troubleshoot; and marketing
- Recipients: Service providers and user-directed entities
- Payment data
- Sources of personal data: Interactions with users and financial institutions
- Purposes of Processing (Collection and Disclosure to Third Parties): Transact commerce; process transactions; fulfill orders; help, secure, and troubleshoot; and detect and prevent fraud
- Recipients: Service providers and user-directed entities
- Subscription and licensing data
- Sources of personal data: Interactions with users and organizations that represent users; third-party storefronts and platforms on which our products are purchased
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide, personalize, and activate our products; customer support; help, secure, and troubleshoot; marketing; and accounting
- Recipients: Service providers and user-directed entities
- Interactions
- Sources of personal data: Interactions with users including data Microsoft generates through those interactions
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide and personalize our products; product improvement; product development; marketing; and help, secure and troubleshoot
- Recipients: Service providers and user-directed entities
- Content
- Sources of personal data: Interactions with users and organizations that represent users
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; safety; and help, secure, and troubleshoot
- Recipients: Service providers and user-directed entities
- Video or recordings
- Sources of personal data: Interactions with users and publicly available sources
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; marketing; help, secure, and troubleshoot; and safety
- Recipients: Service providers and user-directed entities
- Feedback and ratings
- Sources of personal data: Interactions with users
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; customer support; and help, secure, and troubleshoot
- Recipients: Service providers and user-directed entities
Subject to your privacy settings, your consent, and depending on the products you use and your choices, we may collect, process, or disclose certain personal information that qualifies as “sensitive data” under applicable U.S. state data privacy laws. Sensitive data is a subset of personal information. In the list below, we outline the categories of sensitive data we collect, the sources of the sensitive data, our purposes of processing, and the categories of third party recipients to whom we disclose the sensitive data. Please see the Personal data we collect section of our privacy statement for more information about the sensitive data we may collect.
Categories of Sensitive Data
- Account log-in, financial account, debit or credit card number, and the means to access the account (security or access code, password, credentials, etc.)
- Sources of sensitive data: Interactions with users and organizations that represent users
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide the product and fulfill requested financial transactions
- Recipients: Service providers and payment processing providers
- Precise geo-location information
- Sources of sensitive data: Users’ interactions with the products
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide the service requested; product improvement; some attributes may be disclosed to third parties to provide the service
- Recipients: Users and service providers (please see the Windows Location Services and Recording section of our privacy statement for more information)
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Sources of sensitive data: Communications with users
- Purposes of Processing (Collection and Disclosure to Third Parties): Conduct research studies to better understand how our products are used and perceived and for the purposes of improving the product experiences
- Recipients: Service providers
- Medical or mental health, sex life, or sexual orientation
- Sources of sensitive data: Communications with users
- Purposes of Processing (Collection and Disclosure to Third Parties): Conduct research studies to better understand how our products are used and perceived and for the purposes of improving the product experiences and accessibility
- Recipients: Service providers
- Contents of your mail, email, or text messages (where Microsoft is not the intended recipient of the communication)
- Sources of sensitive data: Users’ interactions with the products
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; improve the product experience; safety; and help, secure, and troubleshoot
- Recipients: Service providers
- Personal data collected from a known child under 13 years of age
- Sources of sensitive data: Interactions with users and organizations that represent users
- Purposes of Processing (Collection and Disclosure to Third Parties): Provide our products; product improvement; product development; recommendations; help, secure, and troubleshoot; and safety
- Recipients: Service providers and user-directed entities (in accordance with your Microsoft Family Safety settings)
While the bulleted list above contains the primary sources and purposes of processing for personal information collected from children under 13, we also collect personal information from the sources listed in the Collection of Data from children section of our privacy statement.
We make this information available to consumers in the Personal data we collect and the U.S. State Data Privacy sections of our privacy statement.
How We Share Your Personal Information
You have the right to know if your personal information is provided to third parties. We may provide personal information to have our Service Providers, as defined under applicable U.S. state data privacy laws, perform services specified by written contract. These services may include providing our products and services, customer service, preventing fraud, processing payments, fulfilling orders or transactions, and other services depending on your interaction with us. We may also share your information with other third parties when you tell us to do so, such as third-party services or other individuals. In addition, we may disclose personal information to third parties for other notified purposes, as permitted by U.S. state data privacy laws.
We make this information available to consumers in the Reasons we share personal data and the U.S. State Data Privacy sections in our privacy statement.
"Sharing" and personalized ads. We may “share” your personal information with third parties for personalized advertising purposes, as defined under California and other applicable U.S. state laws. “Personalized advertising” in this context means advertisements we believe will be more interesting and useful to you based on your data, including your searches, site visits, and topics you often explore and personal information collected by Microsoft. Third parties may use the data we’ve shared with them to show you personalized ads. Learn more about how to opt out of sharing.
In the list below, we outline the categories of data we share for personalized advertising purposes, the types of recipients of the personal data, and our purposes of processing. For a description of the data included in each category, please see the Personal data we collect section of our privacy statement. You can view our third party ad partners here. For a list of the third parties that set cookies on our websites, including service providers acting on our behalf, please visit our third party cookie inventory.
Categories of Personal Data
- Name and contact data
- Recipients: Third parties that perform online advertising services for Microsoft or that use Microsoft’s advertising technologies
- Purposes of Processing: To deliver personalized advertising based on your interests
- Demographic data
- Recipients: Third parties that perform online advertising services for Microsoft or that use Microsoft’s advertising technologies
- Purposes of Processing: To deliver personalized advertising based on your interests
- Subscription and licensing data
- Recipients: Third parties that perform online advertising services for Microsoft or that use Microsoft’s advertising technologies
- Purposes of Processing: To deliver personalized advertising based on your interests
- Interactions
- Recipients: Third parties that perform online advertising services for Microsoft or that use Microsoft’s advertising technologies
- Purposes of Processing: To deliver personalized advertising based on your interests
As noted in our Advertising section of our privacy statement, we do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 18 years of age. Please also see the Advertising section for more information about our advertising practices.
We Do Not Sell Your Personal Information
You have the right to know whether your personal information is being sold. Your personal information is “sold” when it is provided with a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other U.S. state data privacy laws. Please note a “sale” does not include when we disclose your personal information at your direction, or when otherwise permitted under law.
Microsoft does not sell your personal information.
We Do Not Engage in “Profiling”
You have the right to know whether your personal information is used for “profiling,” utilizing automated decision-making in furtherance of decisions that produce legal or similarly significant effects. Microsoft does not engage in this type of profiling.
Control
Right to Know, Right to Correct, Right to Receive, Right to Delete
You have the right to:
- Know what specific pieces of personal information Microsoft has collected and retained about you over the previous 12 months.
- Correct inaccurate personal information Microsoft may have retained.
- Receive a copy of your personal information.
- Delete your personal information.
Microsoft makes it easy for you to exercise your rights. Using your privacy dashboard, you can log into your Microsoft account and view, download, or delete the specific pieces of personal information we have collected. You can also manage, correct, and update your information directly, such as through your Microsoft account.
It is important to note that a valid login is required to access or delete personal information associated with a Microsoft account. This safeguard is in place to protect the security of consumers and their data.
If you do not have a Microsoft account or have a more detailed privacy inquiry, you can submit a request to our privacy support team via our web form or call our U.S. toll free number +1 (844) 931 2038. If you use an authorized agent, we provide your agent with detailed guidance on how to exercise your privacy rights. In some situations, we may ask you for more information to help us fulfill your request.
If you have made a request to Microsoft to know, correct, receive, or delete your personal information and believe your request was denied by Microsoft, you can exercise your right to appeal the results of your request by contacting our privacy support team via our web form. If your appeal is unsuccessful and depending upon the state where you live, you may have the right to raise a concern or lodge a complaint with your state attorney general.
Right to Limit Use of Sensitive Personal Information
Subject to your privacy settings, your consent, and depending on the products you use and your choices, we may collect, process, or disclose certain personal information that qualifies as “sensitive data” under applicable U.S. state data privacy laws. Sensitive data is a subset of personal information.
You have the right to limit the use or disclosure of your sensitive data to the following types of activities, in accordance with applicable U.S. state data privacy laws:
- Perform the services or provide the goods you reasonably expect
- Help ensure the security and integrity of our services, systems, and data, to combat malicious deceptive, fraudulent or illegal acts, and to protect the physical safety of individuals, to the extent the processing is reasonably necessary and proportionate
- For short-term transient use (including non-personalized advertising), so long as the personal data is not disclosed to a third party, is not used for profiling, and is not used to alter an individual’s experience outside the current interaction with Microsoft
- Perform services on behalf of Microsoft, such as maintaining accounts, providing customer service, processing, or fulfilling orders/transactions, verifying customer information, processing payments, providing financing, providing analytics, providing storage, and similar services
- Undertake activities to verify or maintain the quality or safety of, or improve, upgrade, or enhance a service or device owned or controlled by Microsoft.
- Collect or process sensitive data where the collection or processing is not for inferring characteristics about the individual
- Any other activities in accordance with any future regulations that are issued pursuant to U.S. state data privacy laws
We do not use or disclose your sensitive data for purposes other than those listed above, without your consent, or as permitted or required under applicable laws. So, we do not offer an ability to limit the use of sensitive data.
Right to Opt-out of “Sale” or “Sharing"
Microsoft does not sell your personal information, so we do not offer an opt out. Microsoft may “share” personal information with third parties for personalized advertising purposes. You may indicate your choice to opt-out of the sharing of your personal data with third parties for personalized advertising on third party sites by visiting our sharing opt-out page.
Even if you turn off “sharing,” you may still see personalized ads based on information other companies and ad networks have collected about you, if you have not opted out of sharing with them.
Right to Opt-Out of “Profiling”
Microsoft does not engage in “profiling” that utilizes your personal information for automated decision-making that produces legal or similarly significant effects. So, we do not offer an opt-out for this type of profiling.
Benefits to You
Financial Incentives
The CCPA and other U.S. state data privacy laws allow businesses to offer consumers financial incentives for sharing personal information. For example, a business can offer a rewards program or provide a premium service to consumers as compensation for their personal information. Where Microsoft offers these programs, your participation is optional. If you choose to participate, your participation will be subject to any applicable terms, and you may withdraw at any time.
Non-Discrimination
U.S. state privacy laws prohibit businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying a good or service, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.
Disclosure of privacy rights requests
The CCPA requires businesses to disclose the number of requests received, complied with in whole or in part, or denied. We give our customers control over their data through the Microsoft privacy dashboard, which receives millions of requests from customers globally to view and delete data. Requests to view and delete personal data on the Privacy dashboard are fulfilled immediately. We provide tools in which our customers can manage, correct, and update their information directly, such as through their Microsoft account.
We also provide a web form for customers to contact our privacy team, the Privacy Response Center, for additional support. Requests to view, correct, export, and delete personal data are fulfilled within 30 days through the various tools Microsoft provides.
2023 privacy requests
Requests received | Requests complied with in full or in part | |
---|---|---|
Requests to Know from CA consumers through the Microsoft privacy dashboard and Privacy Response Center | 1,163,934 | 1,163,929 |
Requests to Delete from CA consumers through the Microsoft privacy dashboard and Privacy Response Center | 774,056 | 774,051 |
Requests to Correct from CA consumers through the Privacy Response Center | 0 | 0 |
We also responded to 92,717 requests from U.S. Microsoft account holders to opt-out of sharing data with third parties for personalized advertising purposes through our third-party ads settings control. We did not receive any requests to correct through our Privacy Response Center in 2023.
We determine whether someone is a California consumer by (1) IP address for the Privacy Dashboard and (2) whether they mention CCPA in their request for the Privacy Response Center.
Ten requests were denied in 2023 due to an inability to verify the request. Five of these were requests to know, and five were requests to delete.
The average response time to complete received requests was less than one day. Our privacy team responded to requests from California consumers submitted through our privacy webform with an average of two days for access deletion requests.
Certain data may not be provided or may be retained according to the Microsoft Privacy Statement, for example, to comply with applicable laws.
This notice is updated annually. As of June 2024, we updated the metrics for requests related to the right to know and delete for the period from January until December 2023.
As noted above, we do not sell personal information, and do not use or disclose your sensitive data for purposes other than those listed above, without your consent, or as permitted or required under applicable laws. Therefore, we do not offer consumers a way to opt-out of the sale of their personal information or limit the use of their sensitive data.
Microsoft is currently registered in Oregon as Microsoft Corporation, Microsoft Infrastructure Group LLC, and Obsidian Entertainment.