Microsoft Enforcing Consent Signals Starting May 5

Hello all, and happy Thursday! 

Increasingly, the major software providers that underpin the internet and modern business are leaning into data privacy. 

Just recently, Microsoft announced it would be enforcing the provision of user consent signals starting May 5th. Basically, if you use Microsoft Advertising, Invest, Curate, or Monetize on your website, Microsoft will no longer accept data from website visitors based out of the EEA, UK, or Switzerland—unless you obtain affirmative opt-in consent first. 

Obviously, this will be a greater or lesser concern for businesses depending on where their traffic comes from. But even if you don’t use Microsoft on your site and don’t receive visitors from the aforementioned regions, this news should still matter to you for two reasons: 

1. It’s a bellwether for privacy. When Microsoft makes a move like this to protect itself and its users against non-compliance, it should underscore the importance of data privacy for any business with a digital presence. 
2. Though US data privacy laws don’t require opt-in consent for the most part, wiretap laws like CIPA do. Businesses are being successfully sued under these laws for using data trackers (like those from Microsoft, Google, and Meta) without user consent. Taking an opt-in approach to consent is lower risk, even if it’s not explicitly required by your governing privacy law. 

Microsoft’s announcement also calls out how businesses can manage user consent with their technology—but that approach requires fiddling with your tag manager or your website code, and it only applies to Microsoft data trackers.  

(Incidentally, did you know that Osano provides a consent management platform that makes it easy to manage consent for all users and across all data trackers?) 

Best, 

Arlo 

Highlights from Osano

In Case You Missed It...

Blog: Multi-Hyphenate Privacy Professionals: 3 Strategies for Success 

Most of us are privacy pros plus—plus AI, plus GRC, plus security, and on and on and on. We face different challenges than professionals who solely focus on data privacy compliance. Get more time in your day with these strategies for success. 

Read more 

Podcast: Compliance Is Good Business: Getting Beyond Fines with Tom Fox of Compliance Podcast Network 

AI and shifting regulations are dominating headlines, but a bigger transformation is happening in compliance—and businesses that fail to adapt will be left behind. Tom Fox, founder of Compliance Podcast Network, talks to Arlo Gilbert about this shift. 

Listen here 

Upcoming Webinars and Events...

The Privacy Pro Survival Summit 2: This Time It’s Personal 

In our second Privacy Pro Survival Summit, we’re putting the personal in personal data and showcasing a suite of thought leaders and experts from privacy, security, GRC, and related experts. Learn, connect with your peers, and maybe have a little fun along the way! 

Save your seat | Today!

Top Privacy Stories of the Week

FTC: 23andMe Buyer Must Honor Firm’s Privacy Promises for Genetic Data 

Federal Trade Commission (FTC) Chairman Andrew Ferguson said he's keeping an eye on 23andMe's bankruptcy proceeding and the company's planned sale because of privacy concerns related to genetic testing data. 23andMe and its future owner must uphold the company's privacy promises, Ferguson said in a letter sent yesterday to representatives of the US Trustee Program, a Justice Department division that oversees the administration of bankruptcy proceedings. 

Read more 

TikTok Buy-or-Ban Deadline Extended; Who’s Trying to Buy? 

President Donald Trump has for a second time extended the deadline that would have required TikTok to be sold or face a ban in the US. A bipartisan law passed by Congress last year mandates TikTok's Chinese parent company, ByteDance, sell the app. Trump intervened and delayed the ban until April 5, and now he has now granted another 75-day extension until June. Read more 

Microsoft’s New Cookie Consent Requirement Coming May 5, 2025 

Microsoft Advertising has announced that starting May 5, 2025, it will require all websites using its tracking tools to send a “consent signal” whenever someone from the European Union, United Kingdom, or Switzerland visits. Tracking technologies from Microsoft, Google, and Meta are commonly used across a wide range of websites (such as Microsoft’s Universal Event Tracking [UET] tag) —whether or not those sites actively target users in Europe. 

Read more 

US Appeals Court Reinstates Access to Personal Data for Elon Musk's DOGE 

The 4th U.S. Circuit Court of Appeals temporarily reinstated Elon Musk's Department of Government Efficiency (DOGE) access to Americans' private data held by the Treasury and Education Departments and the Office of Personnel Management. This overturns an earlier ruling that had blocked DOGE's access to the data. Critics are concerned about the potential misuse of sensitive information, including Social Security numbers, income details, and addresses, which could be used for political purposes. 

Read more 

UK ICO Issues Three Million GBP Monetary Penalty in Connection with Ransomware Attack 

The Information Commissioner’s Office (ICO) recently announced a fine of 3 million GBP (3.9 million USD) against a software provider for security deficiencies following a ransomware incident. This is the first time the ICO has fined a processor under the UK’s General Data Protection Regulation (GDPR). 

Read more 

Like what you hear from the Privacy Insider newsletter?

There's more to explore:

🎙️The Privacy Insider Podcast

We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.

📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands

The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.

If you’re interested in working at Osano, check out our Careers page!