Microsoft illegally installed cookies on a school pupil’s devices without consent, according to a ruling by the Austrian data protection authority (DSB).
In the second ruling [PDF], won by Austria-based campaign group None of Your Business (noyb), the authority found that Microsoft acted unlawfully when it placed tracking cookies on the devices of a minor using Microsoft 365 Education.
Microsoft’s own documentation says these cookies analyze user behavior, collect browser data, and are used for advertising. The DSB has also said the US software firm should stop tracking the complainant – whose identity was not disclosed – within four weeks. Both the school and the Austrian Ministry of Education claimed they were not aware of the tracking cookies before noyb raised the complaints.
Microsoft now has four weeks to comply and cease the use of tracking cookies on the devices of the minor. The Register has asked Microsoft to comment.
In a statement, Felix Mikolasch, data protection lawyer at noyb, said: “Tracking minors clearly isn’t privacy-friendly. It seems like Microsoft doesn’t care much about privacy, unless it is for their marketing and PR statements.”
In 2024, noyb asked the Austrian data protection authority to investigate Microsoft 365 Education to clarify if it breaches transparency provisions under GDPR. It said the tech giant pushed data protection obligations onto schools that use the system, and failed to comply with subjects’ right to access data about them. Neither Microsoft’s privacy documentation, requests for access, nor noyb’s research could fully clarify what data about children is being processed by Microsoft 365 Education.
The complaint dates back to the COVID-19 pandemic, when schools rapidly shifted to online learning, using the likes of Microsoft’s 365 Education as well as Google’s Workspace for Education and others.
In October last year, the Austrian digital privacy group claimed its first victory in the case, after the DSB ruled Microsoft had “illegally” tracked students via its 365 Education platform and tried to shift responsibility for access requests to local schools.
The authority ordered the software giant to provide complete information about the data transmitted, and to provide clear explanations of what was meant by terms such as “internal reporting,” “business modeling” and “improvement of core functionality.” ®