An Austrian privacy regulator has ruled that Microsoft illegally set tracking cookies on a school‑issued device used by a child, even though the issue stemmed from how the school deployed Microsoft 365 services rather than anything Microsoft directly controlled. The decision argues that because Microsoft’s services delivered the content that placed the cookies, the company still shares responsibility for the consent failure — a finding that could have far‑reaching implications for cloud providers operating in tightly regulated environments.
At the height of the COVID-19 pandemic, schools rapidly shifted to online platforms like Microsoft 365 Education and Google Workspace for Education to ensure students weren’t held back from learning.
You may like
Microsoft 365 logos. (Image credit: Microsoft)
The first complaint was decided in October 2025, marking a significant victory for the digital privacy group, as the Austrian data protection authority (DSB) ruled that Microsoft had violated the right of access under Article 15 of the GDPR.
Microsoft was ordered by the authority to provide more information about the data transmitted. It was also required to provide clear explanations of what it meant when using the terms “internal reporting,” “business modeling,” and “improvement of core functionality.”
And now, the authority has decided on the second complaint about Microsoft’s alleged use of unlawful tracking cookies in its 365 Education platform. The authority established that Microsoft had acted unlawfully by placing tracking cookies on the devices of a minor using its 365 Education platform.
Tracking minors clearly isn’t privacy-friendly. It seems like Microsoft doesn’t care much about privacy, unless it is for their marketing and PR statements.
Felix Mikolasch, data protection lawyer at noyb
While speaking to The Register, a Microsoft spokesman indicated that:
“Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR. We are reviewing the Austrian data protection authority’s latest decision and will decide on next steps in due course.”
To that end, Microsoft has four weeks to comply and stop using tracking cookies on the devices of the minor. The school and the Austrian Ministry of Education claimed that they weren’t aware of Microsoft using tracking cookies on minors before “noyb” raised the issue.
The ruling underscores a growing shift in how regulators interpret platform responsibility: cloud vendors are increasingly expected to enforce compliance even when customers misconfigure their deployments. As privacy enforcement becomes more expansive and less tolerant of configuration mistakes, cloud providers may need to rethink how they design consent flows, documentation, and safeguards to avoid being pulled into similar disputes.
Should Microsoft be punished for tracking kids? Share your thoughts in the comments and cast your vote!
Follow Windows Central on Google News to keep our latest news, insights, and features at the top of your feeds!