July 2008
Microsoft has a long-standing commitment to consumer privacy and we have put that commitment into action. Here are some examples:
Broad Self-regulatory Approach for Online Advertising. Microsoft recently filed comments with the Federal Trade Commission explaining the need for a broad self-regulatory privacy approach to online advertising, noting that all online advertising activities involve data collection from users and therefore have privacy implications.
Meaningful Online Advertising Principles. In July 2007, Microsoft announced five fundamental privacy principles for online search and ad targeting. These principles include commitments to user notice, user control, search data anonymization, security, and best practices.
Clear and Upfront User Notice. Microsoft was one of the first companies to develop so-called “layered” privacy notices that give clear and concise bullet-point summaries of our practices and direct users to a place where they can find more information. We post a link to this user-friendly privacy notice on every one of our web pages.
Robust User Control. Microsoft has recently deployed a robust method to enable users to opt out of behavioral advertising. Specifically, users can now tie their opt-out choice to their Windows Live ID so their choice can work across multiple computers and be more persistent (for example, deleting cookies will not erase their opt-out selection). We also highlight the availability of this opt-out choice on the first layer of our privacy notice.
Unique Steps To De-Identify Data. Microsoft is unique in our use of a technical method (known as a one-way cryptographic hash) to separate search terms from account holders’ personal information, such as name, email address, and phone number, and to keep them separated in a way that prevents them from being easily recombined. We have also relied on this method to ensure that we use only data that does not personally identify individual consumers to serve ads online.
Strict Search Data Anonymization. Microsoft will anonymize all search data after 18 months, which we believe is an appropriate timeframe in our circumstances to enable us to maintain and improve the security, integrity and quality of our services. In addition, unlike other companies, we will irreversibly remove the entire IP address and other cross-session identifiers, such as cookies and other machine identifiers, from search terms after 18 months.
Support for Federal and State Privacy Legislation. Microsoft has actively supported state legislation that would impose baseline notice, choice, and security requirements on entities that collect data to serve online ads. We also were one of the first companies to advocate for comprehensive federal privacy legislation in the United States.
Dedicated Privacy Personnel and Processes. Microsoft was one of the first companies to appoint a chief privacy officer, an action we took nearly a decade ago, and we currently employ over 40 employees who focus on privacy full-time, and another 400 who focus on it as part of their jobs. We have made significant investments in privacy in terms of dedicated personnel and training and by building robust privacy standards into our product development and other business processes.
Guidelines for Third Parties. Microsoft is committed to helping others in industry protect consumers’ privacy interests. For example, we have released a set of privacy guidelines designed to help developers build meaningful privacy protections into their software programs and online services.
Consumer Education and Private-Public Sector Partnerships. Microsoft has taken steps to educate consumers about ways to protect themselves while online, and we have worked closely with industry members and law enforcement around the world to identify security threats, share best practices, and improve our coordinated response to privacy, security and other Internet safety issues.
