BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Report of Findings #2018-004: Microsoft to obtain opt-in consent, enhance transparency for Windows 10 privacy settings
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Report of Findings #2018-004Well-founded & conditionally resolved
Flag of Canada

PIPEDA Report of Findings #2018-004: Microsoft to obtain opt-in consent, enhance transparency for Windows 10 privacy settings

Organization: Microsoft
Decision: Jun 20, 2018Published: Jun 20, 2018
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

This investigation concerned Microsoft's Windows 10 privacy settings, which were initially set to 'on' by default during installation. The Office of the Privacy Commissioner of Canada (OPC) investigated whether Microsoft obtained valid consent for the collection, use, and disclosure of users' personal information. While Microsoft made several updates to improve clarity and consent mechanisms, the OPC identified ongoing concerns regarding the meaningfulness of consent for certain settings, particularly regarding diagnostics, tailored experiences, and speech recognition. Microsoft committed to implementing further changes, including obtaining opt-in consent for all installation privacy settings, enhancing transparency, and improving data protection measures.

Key Issues
  • Validity of consent for default privacy settings during Windows 10 installation.
  • Clarity and completeness of privacy communications provided to users.
  • Adequacy of measures to protect sensitive diagnostic data from being used for targeted marketing.
  • Ensuring meaningful consent for cloud-based speech recognition services.
Outcome

Complaint well-founded and conditionally resolved

Reasoning

The OPC found the complaint well-founded because Microsoft's initial default settings and privacy communications did not adequately inform users about the collection, use, and disclosure of their personal information. However, it was conditionally resolved due to Microsoft's commitments to implement significant changes that addressed the OPC's concerns.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

Microsoft committed to obtaining opt-in consent for all installation privacy settings, enhancing privacy communications, augmenting procedures to ensure sensitive information is not used for tailored experiences, correcting the functioning of the speech recognition setting, and implementing measures to mitigate location tracking risks.

Statutory provisions cited
  • s. 6.1 PIPEDA
  • Principle 4.3 PIPEDA
  • Principle 4.3.2 PIPEDA
  • Principle 4.3.4 PIPEDA
  • Principle 4.3.5 PIPEDA
  • Principle 4.3.6 PIPEDA
  • Principle 4.1.4 PIPEDA

This summary is for informational purposes only and does not constitute legal advice.