Microsoft illegally installed cookies on schoolkid's tech, data protection ruling finds
- Reference: 1769516465
- News link: https://www.theregister.co.uk/2026/01/27/microsft_illegally_installed_cookies_ruling_austra_school/
- Source link:
In the second [1]ruling [PDF], won by Austria-based campaign group None of Your Business (noyb), the authority found that Microsoft acted unlawfully when it placed tracking cookies on the devices of a minor using Microsoft 365 Education.
Microsoft's own documentation says these cookies analyze user behavior, collect browser data, and are used for advertising. The DSB has also said the US software firm should stop tracking the complainant – whose identity was not disclosed – within four weeks. Both the school and the Austrian Ministry of Education claimed they were not aware of the tracking cookies before noyb raised the complaints.
[2]
Microsoft now has four weeks to comply and cease the use of tracking cookies on the devices of the minor. The Register has asked Microsoft to comment.
[3]
[4]
In [5]a statement , Felix Mikolasch, data protection lawyer at noyb, said: "Tracking minors clearly isn't privacy-friendly. It seems like Microsoft doesn't care much about privacy, unless it is for their marketing and PR statements."
In 2024, [6]noyb asked the Austrian data protection authority to investigate Microsoft 365 Education to clarify if it breaches transparency provisions under GDPR. It said the tech giant pushed data protection obligations onto schools that use the system, and failed to comply with subjects' right to access data about them. Neither Microsoft's privacy documentation, requests for access, nor noyb's research could fully clarify what data about children is being processed by Microsoft 365 Education.
[7]EU's reforms of GDPR, AI slated by privacy activists for 'playing into Big Tech's hands'
[8]Clearview AI faces criminal heat for ignoring EU data fines
[9]Whitebridge AI created false and alarming reputation reports, complaint alleges
[10]Meta training AI on social media posts? Only 7% in Europe think it's OK
The complaint dates back to the COVID-19 pandemic, when schools rapidly shifted to online learning, using the likes of Microsoft's 365 Education as well as Google's Workspace for Education and others.
In October last year, the Austrian digital privacy group claimed its [11]first victory in the case , after the DSB ruled Microsoft had "illegally" tracked students via its 365 Education platform and tried to shift responsibility for access requests to local schools.
[12]
The authority ordered the software giant to provide complete information about the data transmitted, and to provide clear explanations of what was meant by terms such as "internal reporting," "business modeling," and "improvement of core functionality." ®
Updated to add at 1423 UTC, January 27
A Microsoft spokesperson told The Register : "Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR. We are reviewing the Austrian data protection authority's latest decision and will decide on next steps in due course."
Get our [13]Tech Resources
[1] https://noyb.eu/sites/default/files/2026-01/Standarderledigung%20Bescheid_geschw%C3%A4rzt.pdf
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXjvQn_y7R55PK-AJ0ZUQwAAAMM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXjvQn_y7R55PK-AJ0ZUQwAAAMM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXjvQn_y7R55PK-AJ0ZUQwAAAMM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://noyb.eu/en/noyb-win-microsoft-ordered-stop-tracking-school-children
[6] https://www.theregister.com/2024/06/04/noyb_microsoft_complaint/
[7] https://www.theregister.com/2025/11/11/eu_leaked_gdpr_ai_reforms/
[8] https://www.theregister.com/2025/10/28/noyb_criminal_charges_clearview/
[9] https://www.theregister.com/2025/09/29/whitebridge_ai_reputation_reports_complaint/
[10] https://www.theregister.com/2025/08/07/meta_training_ai_on_social/
[11] https://www.theregister.com/2025/10/13/microsoft_365_education_gdpr/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXjvQn_y7R55PK-AJ0ZUQwAAAMM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Re: Default On.
It would be easy peasy if their EU Data Boundary was more than marketing spin.
Re: Default On.
My parents always taught me never to accept candy from strangers but they never said anything about cookies from Microsoft.
Business model flaw
The problem is that people have to look at ways to turn this stuff off, because invading privacy is part of the business model of companies like Microsoft.
If companies approached the design of systems sensibly - lets look at relevant laws, regulations and local requirements and only then build it out, we'd end up with software that had privacy by design. It could then add stuff on top of that for markets where it can legally get more data, but instead it now has to scramble to undo what it has built instead.
"should stop tracking the complainant ... within four weeks."
What's the penalty if they don't? I see a mention of 50 Euros in the PDF but without knowing German I'm not sure of the significance. Is that 50 each day of failure? If so they might not bother. 50 per day per affected pupil in Austria might get their attention. 50 per day per pupil across the whole EU might get something done.
I only skimmed the document, but the fifty Euros at the end relates to the cost of submitting an appeal against the decision. It seems absurdly low compared to the likely cost it would cause the receiving authority, but I suppose it is set at a level so as not to exclude private individuals.
Thanks.
So no penalty mentioned? I suppose it must be a procedural thing and if they don't stop then penalties get decided on then. So we can hope for a percentage of annual revenue.
GDPR penalties incoming!
Let's hope this turns into a fine of 4% of Microsoft's global turnover.
If that actually happens, my suspicion is that a certain mad orange king might pull out his tariff threats again. Good. The sooner the EU stops using US software and services, the better.
Re: GDPR penalties incoming!
Hopefully they'll include all their AI spend inthie turnover to inflate numbers. Just make it more costly to MS.
Default On.
It's kinda hard to turn OFF something that is turned ON by default to everybody, right?