Microsoft was ruled illegal by Austrian regulators for planting tracking cookies on minors' devices

According to DataGuidance, the Austrian Data Protection Authority (DSB) ruled that Microsoft illegally implanted tracking cookies on the devices of underage students using Microsoft 365 Education Edition without consent, which constituted a violation of the law. This is another win for the Austria-based digital privacy activist group None of Your Business (noyb) in a related case.

According to Microsoft's official documentation, the purposes of the cookies involved include analyzing user behavior, collecting browser data, and thus providing support for advertising. The DSB has ordered Microsoft to stop tracking the student who complained within four weeks. It is worth noting that both the school involved and the Austrian Ministry of Education stated that they were not aware of the existence of these tracking cookies before noyb filed the complaint.

This ruling stems from a relevant investigation request made by noyb in 2024. At that time, the organization asked the Austrian data protection agency to verify whether Microsoft 365 Education violated the transparency provisions of the General Data Protection Regulation (GDPR). It pointed out that Microsoft transferred data protection obligations to schools using its system and did not guarantee the right of data subjects to access their own data. Even through Microsoft's privacy documents, access requests and noyb's own research, it was not possible to fully clarify what children's data the education version of the software was processing.

In fact, this is not the first time Microsoft has lost a related case. In October last year, the DSB ruled that Microsoft "illegally" tracked students through the 365 education platform and tried to shirk the responsibility for data access requests to local schools. It also ordered it to provide complete data transmission information and provide clear explanations of terms such as "internal reporting", "business modeling" and "core function improvements".

In response to the latest ruling, a Microsoft spokesperson said that Microsoft 365 Education meets all necessary data protection standards and that educational institutions can continue to use it in compliance with GDPR. The company is studying the ruling and will decide on follow-up measures in due course.

noyb data protection lawyer Felix Mikolasch emphasized in the statement that tracking minors is obviously inconsistent with privacy protection principles. Microsoft does not seem to really pay attention to privacy protection, and the relevant measures are more for marketing and public relations purposes.