U.S. State Data Privacy Laws Notice

This notice applies to residents of the United States, and supplements the Microsoft Privacy Statement with additional information required by U.S. state data privacy laws. It provides details on the personal data we collect, use, and disclose, and describes your rights with respect to that data. Please also see our Consumer Health Data Privacy Policy for information related to applicable U.S. state consumer health privacy laws.

You have the right to know, at or before collection, what kinds of personal data we collect, the purposes we collect and use it for, whether we sell or “share” your personal data, and how long we keep your data. Please see below and the Personal data we collect, How we use personal data, and Reasons we disclose personal data sections of our privacy statement for more information.

We disclose personal data for several reasons. We provide personal data to have our service providers perform services specified by written contract. These services may include providing our products and services, customer service, preventing fraud, processing payments, fulfilling orders or transactions, and other services depending on your interaction with us. We also disclose your data when you tell us to, such as with third-party services or other individuals (like the recipient of an email via Outlook). In addition, we may disclose personal data for other notified purposes, as permitted by U.S. state data privacy laws.

We “share” (as defined under the California Consumer Privacy Act or “CCPA”) certain categories of personal data for personalized advertising purposes. “Personalized advertising” means advertisements we believe will be more interesting and useful to you based on data collected across different sites or products, including your searches, site visits, and other personal data collected by Microsoft. Third parties may use the data we’ve shared with them to show you personalized ads. You can view our third party ad partners here. For a list of the third parties that set cookies on our websites, including service providers acting on our behalf, please visit our third party cookie inventory. You can opt out of the sharing of your personal data with third parties for personalized advertising by visiting our third party ad sharing opt-out page.  To turn off all personalized ads, go to our personalized ad and offers page.

Please note that we do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 18 years of age.

In the bulleted lists below, we outline the categories of personal data and sensitive personal data we collect, the purposes for our  processing, whether that data is “shared” for personalized advertising purposes with third parties,  and the categories of recipients who we disclose data with. As referenced in the Reasons we disclose personal data section, we may also share this data among Microsoft-controlled affiliates and subsidiaries.

Additionally and with appropriate safeguards, Microsoft uses and discloses to our research partners personal data to conduct scientific and product research, including research to understand product use, improve quality and accessibility, and to support advancements in areas such as machine learning and artificial intelligence, for the benefit of the public interest and scientific purposes.

Categories of Personal Data

• Name and contact data
  • Purposes of processing: Provide our products and services; respond to customer questions; help, secure, and troubleshoot; advertising and marketing
  • “Share” for personalized advertising purposes: Yes
  • Recipients: Service providers, advertising partners, and other parties you may direct
• Credentials
  • Purposes of processing: Provide our products and services; authentication and account access; and help, secure and troubleshoot
  • ‘Share” for personalized advertising purposes: No
  • Recipients: Service providers and other parties you may direct
• Demographic data
  • Purposes of processing): Provide and personalize our products and services; product development; help, secure, and troubleshoot; advertising; and marketing
  • “Share” for personalized advertising purposes: Yes
  • Recipients: Service providers, advertising partners, and other parties you may direct
• Payment data
  • Purposes of processing: Transact commerce; process transactions; fulfill orders; help, secure, and troubleshoot; and detect and prevent fraud
  • “Share” for personalized advertising purposes: No
  • Recipients: Service providers and other parties you may direct
• Subscription and licensing data
  • Purposes of processing: Provide, personalize, and activate our products and services; customer support; help, secure, and troubleshoot; advertising; marketing; and accounting
  • “Share” for personalized advertising purposes: Yes
  • Recipients: Service providers, advertising, partners, and other parties you may direct
• Interactions
  • Purposes of processing: Provide and personalize our products and services; product improvement; product development; marketing; and help, secure and troubleshoot
  • “Share” for personalized advertising purposes: Yes
  • Recipients: Service providers, advertising partners, and other parties you may direct
• Content
  • Purposes of processing: Provide our products and services; safety; and help, secure, and troubleshoot
  • Share for personalized advertising purposes: No
  • Recipients: Service providers and other parties you may direct
• Video or recordings
  • Purposes of processing : Provide our products and services; product improvement; product development; marketing; help, secure, and troubleshoot; and safety
  • Share for personalized advertising purposes: No
  • Recipients: Service providers and other parties you may direct
• Feedback and ratings
  • Purposes of processing : Provide our products and services; product improvement; product development; customer support; and help, secure, and troubleshoot
  • Share for personalized advertising purposes: No
  • Recipients: Service providers and other parties you may direct

Subject to your privacy settings, your consent, and depending on the products you use and your choices, we may collect, process, or disclose certain personal data that qualifies as “sensitive data” under applicable U.S. state data privacy laws. Sensitive data is a subset of personal data. In the list below, we outline the categories of sensitive data we collect, the sources of the sensitive data, our purposes of processing, and the categories of recipients to which we disclose the sensitive data.

Categories of Sensitive Data

• Account log-in, financial account, debit or credit card number, and the means to access the account (security or access code, password, credentials, etc.)
  • Purposes of processing: Provide the products and services and fulfill requested financial transactions
  • Recipients: Service providers and payment processing providers
• Precise geo-location information
  • Purposes of processing: Provide the products and services requested; product improvement; some attributes may be disclosed to third parties to provide the service
  • Recipients: Users and service providers (please see the Windows Location Services section of our privacy statement for more information)
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
  • Purposes of processing: Conduct research studies to better understand how our products are used and perceived and for the purposes of improving product experiences
  • Recipients: Service providers
• Medical or mental health, sex life, or sexual orientation
  • Purposes of processing: Provide our products, conduct research studies to better understand how our products are used and perceived and for the purposes of improving product experiences and accessibility
  • Recipients: Service providers
• Contents of your mail, email, or text messages (where Microsoft is not the intended recipient of the communication)
  • Purposes of processing: Provide our products; improve the product experience; safety; and help, secure, and troubleshoot
  • Recipients: Service providers and other parties you may direct
• Personal data collected from a known child under 13 years of age (see in the Collection of Data from children section of our privacy statement for more details)
  • Purposes of processing: Provide our products; product improvement; product development; recommendations; help, secure, and troubleshoot; and safety
  • Recipients: Service providers and user-directed entities (in accordance with your Microsoft Family Safety settings)

U.S. state privacy laws provide for a number of rights with respect to the personal data we collect. If you are a U.S. resident we offer these rights to you regardless of the state in which you reside.

Right to Know / Right to Receive. You have a right to know what specific pieces of personal data Microsoft has collected and retained about you and to receive a copy of that data. You may have the right to know whether we provide your personal data to certain third parties, if any, under certain U.S. state privacy laws.

Right to Correct. You have the right to correct inaccurate personal data Microsoft possesses about you.

Right to Delete. You have the right to request that we delete personal data Microsoft has about you under certain circumstances, subject to certain exceptions.

Right to Limit Use and Disclosure of Sensitive Personal Data. You have the right to limit the use and disclosure of sensitive personal data for any purposes other than to provide the services or goods you request or as otherwise specified and permitted by applicable U.S. state data privacy laws.

We do not use or disclose sensitive personal data for any such additional purposes, so we do not offer an ability to limit the use or disclosure of sensitive data.

Right to Opt Out of Personalized Advertising. You have a right to opt out of personalized advertising, also known as targeted advertising. The CCPA also provides for a right to opt out of “sharing” personal data for personalized advertising purposes. To opt out of the sharing of your personal data with third parties for personalized advertising, visit our third party sharing opt-out page. To opt out of receiving all personalized advertising from Microsoft, visit our personalized ads and offers page.

Microsoft receives and responds to the Global Privacy Control (GPC) browser opt-out signal. Microsoft will turn off sharing your data with third parties for personalized ads and turn off the “Share my data with third parties for personalized ads” toggle if we receive a GPC signal from you when you visit our sites.

Microsoft does not respond to legacy browser-based "Do Not Track" (DNT).

We do not deliver personalized advertising to children whose birthdate in their Microsoft account identifies them as under 18 years of age.

Even if you exercise these opt-out choices, you will still see non-personalized ads from Microsoft. You may still see personalized ads from other companies and ad networks if you have not opted out with them. Please see the Advertising section of our privacy statement for more details and additional ways of exercising control over personalized advertising.

Right to Opt Out from “Sales” of Personal Data. U.S. state privacy laws provide for a right to opt out from the “sale” of personal data. Please note a “sale” does not include when we disclose your personal information at your direction or where otherwise permitted by law. Microsoft does not “sell” personal data as defined by those laws, so we do not offer this opt-out choice.

U.S. state privacy laws provide for a right to opt out from “profiling” that utilizes your personal data for automated decision-making that produces legal or similarly significant effects.  We do not engage in profiling as defined by these laws so we do not offer an opt out from this type of profiling.

Microsoft makes it easy for you to exercise your rights. Using your privacy dashboard, you can log into your Microsoft account and view, download, or delete specific pieces of personal data we have collected.  You can also manage, correct, and update your data directly, such as through your Microsoft account. Specific products may provide additional controls. Please see the How to access and control your personal data section of the privacy statement for more information about other tools we provide to help you control your personal data.

A valid login is required to access or delete personal data associated with a Microsoft account. This is to protect the security of consumers and their data.

If you do not have a Microsoft account or have a more detailed privacy inquiry, you can submit a request to our privacy support team via our privacy support and requests page or call our U.S. toll free number +1 (844) 931 2038. To further protect your personal data, we may ask for additional information, such as your country of residence, email address, and phone number to validate your identity and request before honoring the request. If you use an authorized agent, we provide your agent with detailed guidance on how to exercise your privacy rights. In some situations, we may ask you for more information to help us fulfill your request.

If you have made a request to exercise your rights and believe your request was denied by Microsoft, you can exercise your right to appeal the results of your request by contacting our privacy support team via our privacy support and requests page. If your appeal is unsuccessful, you may have the right to raise a concern or lodge a complaint with your state attorney general, depending upon the state where you live.

The CCPA and other U.S. state data privacy laws allow businesses to offer consumers financial incentives for sharing personal information. For example, a business can offer a rewards program or provide a premium service to consumers as compensation for their personal information. Where Microsoft offers these programs, your participation is optional. If you choose to participate, your participation will be subject to any applicable terms, and you may withdraw at any time.

U.S. state privacy laws prohibit businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying a good or service, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.

In some situations, Microsoft may process de-identified data. Data is in this state when we are not able to link data to an individual to whom such data may relate without taking additional steps. In those instances, and unless allowed under applicable law, we will keep that data de-identified, and will not try to re-identify the individual to whom the de-identified data relates.

The CCPA requires businesses to disclose the number of requests received, complied with in whole or in part, or denied. We give our customers control over their data through the Microsoft privacy dashboard, which receives millions of requests from customers globally to view and delete data. Requests to view and delete personal data on the Privacy dashboard are fulfilled immediately. We provide tools in which our customers can manage, correct, and update their information directly, such as through their Microsoft account.

We also provide a privacy support and requests for customers to contact our privacy team, the Privacy Response Center, for additional support. Requests to view, correct, export, and delete personal data are fulfilled within 30 days through the various tools Microsoft provides.

2025 California privacy rights requests

We also responded to 104,021 requests from U.S. Microsoft account holders to opt-out of sharing data with third parties for personalized advertising purposes through our third-party ads settings control.

We did not receive any California privacy requests to correct through our Privacy Response Center in 2025.

We determine whether someone is a California consumer by (1) IP address for the Privacy Dashboard and (2) whether they mention CCPA in their request for the Privacy Response Center.

Eleven California privacy requests were denied in 2025 due to an inability to verify the request. Six of these were requests to know, and five were requests to delete.

The average response time to complete received requests was less than one day. Our privacy team responded to requests from California consumers submitted through our privacy webform with an average of 4 days for access and deletion requests.

Certain data may not be provided or may be retained according to the Microsoft Privacy Statement, for example, to comply with applicable laws.

This California privacy requests report is updated annually. As of June 2026, we updated the metrics for requests related to the right to know, delete, and opt-out of sharing for the period from January until December 2025.  

As noted above, we do not sell personal information, and do not use or disclose your sensitive data for purposes other than those listed above, without your consent, or as permitted or required under applicable laws. Therefore, we do not offer consumers a way to opt-out of the sale of their personal information or limit the use of their sensitive data.

Microsoft is currently registered in Oregon as Microsoft Corporation, Microsoft Infrastructure Group LLC, and Obsidian Entertainment.