Austria Orders Microsoft to Stop School Tracking Cookies Under GDPR

Microsoft has been ordered by Austria’s data protection authority to stop deploying tracking cookies on a pupil’s devices after a regulator found the cookies were installed without valid consent and were being used for purposes that go beyond purely educational needs. The ruling — the latest in a string of regulatory confrontations over how Big Tech handles school data — names specific cookie identifiers, rejects Microsoft’s attempt to shift responsibility to its European subsidiary, and gives the company a strict timeframe to cease the contested processing for the affected child.

Background​

Microsoft 365 Education is one of the dominant cloud suites used in schools across Europe, combining cloud-hosted Office apps, email, Teams, OneDrive and a raft of telemetry and analytics features intended to improve reliability and product development. During the pandemic, many schools adopted cloud platforms rapidly, and some deployed Microsoft 365 Education at scale to enable remote learning. That swift rollout created, in some jurisdictions, an under-specified relationship between school authorities who contract the service and the vendor who operates it.
Austrian privacy campaigners launched formal challenges in 2024 to clarify whether Microsoft’s educational offering respected students’ rights under the General Data Protection Regulation (GDPR). The complaints focused on two core issues: (1) whether Microsoft 365 Education deployed tracking cookies and other telemetry on pupil devices without lawful basis, and (2) whether data subjects (or their guardians) were being denied full access to the personal data processed about them. The Austrian regulator (Datenschutzbehörde, DSB) has now issued two decisive rulings: an earlier decision addressing transparency and the right of access, and a subsequent order that specifically targets the use of tracking cookies in a pupil’s browser session.
Together these decisions sharpen the legal and practical obligations for technology vendors, national ministries, and schools when processing children’s personal data in an educational setting.

---

What the DSB found: key facts of the cookie ruling​

The unlawful deployment of cookies​

The DSB concluded that Microsoft placed multiple cookies on a pupil’s device while the child used Microsoft 365 Education — including when editing a Word document in the browser — and that these cookies were not strictly necessary for the educational service. Under GDPR the deployment of tracking, advertising, or analytics cookies that are not technically essential requires a valid legal basis, generally consent for browser cookies. The regulator found that no such consent had been obtained for the pupil.
The authority identified a set of cookie identifiers and telemetry pieces that it considered to fall outside the “strictly necessary” category. Key items listed by the regulator include cookies such as MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId and ai-session. These were treated as not technically necessary when used for tracking/advertising and therefore required separate justification which the DSB found lacking.

Dual-purpose cookies and consent complexity​

A recurrent technical detail in the ruling is the problem of dual-purpose cookies: cookies that Microsoft’s documentation acknowledges can be used both for necessary operational tasks and for optional analytics or advertising purposes depending on configuration. The regulator stressed that where a cookie has at least one purpose that requires consent (for example, behavioural advertising), consent must be collected for that purpose before it is used in that way — even if the cookie also has a functional purpose in other contexts.
This distinction is legally important: it prevents vendors from relying on a “technical necessity” claim to avoid consent when the same identifier is also used for tracking.

Who is responsible?​

Microsoft tried to argue that its European subsidiary (commonly Microsoft Ireland Operations Limited) was the relevant responsible entity for the Microsoft 365 Education product in the European Economic Area. The DSB rejected this claim in substance and emphasized that the parent company in the United States had ultimate product control and decision-making authority relevant to the case. As a result, the regulator treated Microsoft’s global group as responsible for aspects of the processing and did not accept a simplistic jurisdictional shield based on an Irish corporate presence.
This approach has two consequences: first, it closes a common strategic defence used by multinational vendors; second, it affects which supervisory authority should be considered competent in cross-border enforcement scenarios.

Orders and timeframes​

The DSB ordered Microsoft to cease the contested tracking of the complainant within a short statutory timeframe and to provide clearer, concrete disclosures about the purposes of processing. In the specific case it gave Microsoft a compliance window to stop the processing tied to the identified cookies — a timeframe the regulator described as appropriate given the child data involved.
The decision also built on an earlier DSB finding that Microsoft had not met data subjects’ access rights (Article 15 GDPR) when users — or their guardians — requested information about the data processed by Microsoft 365 Education. That prior ruling required Microsoft to provide complete information about what data it collects and how it uses it, including explanations for terms such as “internal reporting,” “business modelling,” and “improvement of core functionality.” The regulator demanded transparency on whether data was transmitted to third parties referenced in telemetry logs and vendor documents.

---

Why this matters: legal and practical implications​

Strengthening children's data protection under GDPR​

Children occupy a sensitive category under the GDPR, and supervisory guidance has repeatedly emphasized the need for clearer, child-appropriate information and heightened protections. The DSB’s finding reinforces three core legal principles:

• Strict interpretation of consent for non-essential cookies — schools and vendors cannot treat behavioural or advertising-related cookies as technically necessary to provide the service.
• Higher transparency standards for minors — the explanations must be concrete, precise and understandable for children and their guardians.
• No “pass-the-buck” to schools — vendors cannot evade obligations by shifting the burden of compliance entirely onto local educational institutions.

For privacy teams, school systems, and procurement officials, this is a red flag: reliance on vendor documentation that uses high-level, abstract terms will not meet the DSB’s standard.

Operational exposure for schools and ministries​

The rulings make clear that ministries of education and school administrators cannot hide behind contractual framing and must ensure that products deployed in classrooms actually comply with data protection law. In practice, many institutions that adopted cloud suites quickly may now face three operational demands:

• Audit deployed cookie footprints on pupil devices and school-managed browsers.
• Verify contractual guarantees and technical controls provided by vendors match what is actually implemented.
• Provide parents and pupils with accurate, granular information about what data is collected and whom it is shared with.

If schools discover non-consensual tracking in their deployments, they will have to remediate quickly or face regulatory scrutiny as joint controllers in some contexts.

Pressure on vendors to re-examine telemetry defaults​

For vendors such as Microsoft, default product behaviour matters. The combination of default telemetry and self-described “dual-purpose” cookies creates legal risk. Cloud providers must:

• Segregate strictly necessary functionality from optional telemetry.
• Ensure telemetry that can be used for advertising or profiling is either disabled by default in education tenants or requires explicit consent and clear opt-in flows.
• Improve documentation so that institutions can give precise data subject information and respond to access requests.

This will likely accelerate product changes (technical defaults, admin controls, cookie inventories tailored to education tenants) so that educational deployments can be demonstrably compliant.

---

Technical analysis: what the ruling reveals about cookies and telemetry​

Names and functions flagged by the regulator​

The DSB’s decision names cookie IDs and telemetry elements that product documentation links to user identification, analytics and advertising. Among the identifiers cited are:

• MUID, MC1, MSFPC — identifiers historically associated with Microsoft’s cross-site browser identifiers and session controls, which may be used for analytics and advertising.
• MicrosoftApplicationsTelemetryDeviceId and ai-session — telemetry identifiers used for application and AI/telemetry sessions.

Vendor documentation and public privacy statements confirm that Microsoft’s cookie ecosystem serves multiple uses: authentication, performance and availability, security, analytics, and interest-based advertising. The regulator’s point is that where any of those identifiers are used for behavioural analytics or advertising, they cannot be treated as exempt from consent when deployed on minors' devices.

The problem with “dual-purpose” identifiers​

Dual-purpose cookies are a recurring thorn. Vendors may design identifiers that are used for necessary technical functions (load balancing, session stability) but are also optionally used to measure usage and feed into product analytics or advertising stacks. The regulator highlighted that the presence of tracking uses transforms the legal analysis: the potentially privacy-invasive purpose requires separate legal justification and, typically for cookies, consent.
Technically, the remedy options include:

• Splitting cookies into strictly necessary and optional categories with separate lifetimes and scoping.
• Offering admin-level toggles that by default turn off non-essential telemetry in education tenants.
• Maintaining an auditable cookie inventory that maps identifiers to precise, purpose-bound processing.

Transfers to third parties — unclear but flagged​

During proceedings the regulator requested clarification on whether any pupil data was transferred to third parties or vendors such as advertising or analytics platforms. The earlier decision explicitly asked Microsoft to clarify if telemetry reached parties referenced in logs (the regulator used redacted references in its findings).
At present, the regulator’s order requires Microsoft to disclose whether data was transmitted to third parties and to clarify the role of any recipients. The presence of stakeholders such as advertising intermediaries — even if only visible in telemetry logs — triggers stricter transfer scrutiny under GDPR.
Caveat: the ruling orders clarification and, in some earlier findings, identifies that telemetry logs contain references to third parties, but it does not conclusively establish in public text that a full set of student personal data was forwarded to each named vendor. That remains an area where the DSB demanded explicit disclosure.

---

Critical appraisal: strengths and limitations of the ruling​

Notable strengths​

• Child-focused protection: The DSB’s insistence on child-appropriate clarity and stricter scrutiny for minors reflects robust application of GDPR principles to a high-impact context.
• Technical specificity: By naming cookie identifiers and calling out dual-purpose cookies, the regulator offers useful technical guidance that IT administrators can act on immediately.
• Countering jurisdictional buck-passing: The rejection of a simplistic “Irish subsidiary” shield limits corporate strategies that use internal corporate structures to avoid substantive EU scrutiny.
• Concrete remedial measures: The orders include concrete steps — stop the tracking for the complainant within a prescribed timeframe and provide precise disclosures — which increase the ruling’s practical enforceability.

Potential limitations and open questions​

• Scope and precedent: The decision applies to the specific facts of the complaint: one pupil’s account and the configurations found on the date of the incident. How universally this will apply to every school deployment across Europe depends on fact-specific audits and whether other DPAs follow suit.
• Technical complexity of telemetry: Modern cloud systems emit vast telemetry streams where metadata, performance metrics, and identifiers intermix. Distinguishing strictly necessary telemetry from optional analytics requires careful engineering work that may be time-consuming for vendors and customers.
• Unclear third-party flow outcomes: Although the DSB demanded clarity on third-party transfers, public summaries do not yet disclose whether definitive data transfers to specific external advertising or AI vendors occurred and, if so, on what legal basis.
• Enforcement asymmetry: Even if the DSB’s orders are strong, the practical enforcement and remediation across millions of seats and different national procurement contracts will be uneven — and some schools may be slow to respond or lack technical resources to change client-side behavior.

---

Practical advice: what schools, administrators and parents should do now​

For school IT teams and procurement​

• Conduct an immediate cookie and telemetry audit on school-managed devices and school tenant configurations. Identify any non-essential cookies set during normal classroom use of Microsoft 365 Education.
• Review administrative settings in the education tenancy to disable optional telemetry and behavioural tracking where feasible by default.
• Demand a clear cookie inventory from vendors that directly maps cookie identifiers to purposes, retention, and recipients — and insist on child-friendly explanations suitable for students and parents.
• Update privacy notices and consent flows presented to guardians to reflect actual telemetry and any third-party data flows.
• Maintain an incident log and demonstrate remediation steps taken should a regulator ask for evidence.

For parents and guardians​

• Request a formal data access and processing description from your child’s school — under GDPR you and your child have rights to access the personal data being processed.
• Ask the school which administrative measures and vendor settings are used to minimise non-essential tracking for pupils.
• If you suspect unlawful processing, you can lodge a complaint with your national data protection authority.

For vendors (including Microsoft)​

• Re-examine product defaults for education tenants and implement “privacy-by-default” settings that minimise optional telemetry in child accounts.
• Provide a machine-readable cookie inventory and a concise, child-appropriate privacy summary that schools can reuse directly in their communications.
• Separate and isolate telemetry channels used for operations from those used for marketing or profiling, and provide administrators with granular on/off controls.

---

Wider consequences for cloud software, advertising and AI​

The ruling is a clear signal that regulators will not accept opaque telemetry ecosystems in sensitive contexts like education. Vendors that depend on downstream data for advertising, profiling or AI training will need to demonstrate lawful bases and granular controls — particularly for minors.
Policy and procurement teams should expect:

• Increased regulatory scrutiny across the EU for other widely used education platforms.
• Pressure on vendors to adopt segregation of data flows and stricter defaults for education tenants.
• More litigation and complaints from privacy groups seeking to expand the legal boundaries around telemetry and advertising in non-commercial environments.

Two further ripple effects deserve attention. First, educational procurement teams will increasingly demand contractual guarantees and technical attestations from vendors. Second, national authorities may issue guidance or binding recommendations to standardise what “privacy-safe” educational deployments look like — including lists of cookies considered necessary versus optional.

---

Final assessment: a turning point for student privacy — but not the last word​

The Austrian regulator’s decision is significant because it pairs legal reasoning about children’s rights under GDPR with concrete technical markers (cookie names and telemetry identifiers). That combination makes the ruling both defensible in law and actionable in IT departments. It also narrows the ability of multinational vendors to hide behind corporate structures or abstract documentation.
However, the broader transformation needed to render cloud education platforms fully privacy-compliant is technical, contractual, and organisational. Vendors must make product choices that reflect legal constraints; schools must demand clear inventories and protective defaults; and regulators across Europe will need to coordinate to prevent shop‑floor inconsistency.
The DSB’s approach demonstrates how privacy law can intersect with product engineering to protect vulnerable users. For administrators, parents, and policymakers, the practical takeaway is clear: stop assuming vendor defaults are lawful, insist on transparency that a parent or pupil can understand, and treat consent and telemetry settings as first‑class elements of any school cloud deployment.
The ruling is a win for enforceable student privacy — and a warning that where education, cloud software, and advertising overlap, regulators will expect firms to bake protection into the product, not bolt it on as an afterthought.

---

Source: theregister.com Ruling: Microsoft illegally placed cookies on child's tech

 

[ChatGPT]

At the end of January 2026 Austria’s data protection authority (DSB) delivered a sharp rebuke to Microsoft: the regulator found that Microsoft 365 Education had placed tracking cookies on the device of a pupil without a valid legal basis and ordered the company to stop that processing within four weeks. The ruling follows a pair of complaints filed by the privacy NGO noyb in 2024 and builds on an earlier DSB decision that found Microsoft had failed to satisfy a data‑subject access request under Article 15 of the GDPR. This is not a plug‑and‑play advisory — the DSB named specific cookie identifiers, rejected Microsoft’s attempt to shift responsibility to its European subsidiary, and framed the issue in explicitly child‑protection terms.

Background​

During the pandemic, school systems across Europe accelerated their move to cloud‑based productivity suites. Microsoft 365 Education — a tenant offering that bundles Office web apps, Teams, OneDrive and centralized telemetry — became a default choice for many school districts. That rapid adoption left contractual and operational gaps: schools bought services as customers, while vendors retained control over backend telemetry and default configurations. noyb’s complaints, filed in June 2024, targeted two connected problems: a lack of transparent, actionable information about what Microsoft collects and how it is used, and the presence of cookies and telemetry in education deployments that may be being used for analytics or advertising rather than purely educational purposes. The DSB has now issued two decisive rulings in that procedure: an October 2025 decision on access rights and a January 2026 order specifically addressing cookie‑based tracking.

---

What the DSB actually found​

Summary of the regulator’s conclusions​

The DSB concluded that Microsoft had placed multiple cookies on a pupil’s device while the child used Microsoft 365 Education, and that those cookies were not “strictly necessary” for the basic educational functions. Because cookies used for tracking, analytics, or advertising require a separate legal basis (typically consent under EU law), the deployment without valid parental or pupil consent was unlawful. The regulator therefore ordered Microsoft to cease the contested processing for the complainant within four weeks and required Microsoft to clarify how it uses telemetry and whether data is shared with third parties.

Cookies called out by the DSB​

The DSB’s decision names concrete identifiers as examples of cookies and telemetry elements it considered non‑essential in the education context. Items highlighted by the regulator include MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId and ai‑session, among others. In its reasoning the DSB emphasizes the “dual‑purpose” problem — identifiers that may be used for operational tasks in some contexts but can also feed analytics, profiling or advertising uses in others. Where a cookie has at least one purpose that requires consent (for example behavioural advertising), consent must be obtained before processing.

Transparency and the right of access​

This cookie ruling is tied to the DSB’s earlier October 2025 decision, which found Microsoft had violated the right of access under Article 15 GDPR by not giving the complainant complete information about the personal data processed. The earlier decision forced Microsoft to explain — in clear terms — what it meant when using corporate phrasing like “internal reporting,” “business modelling,” or “improvement of core functionality,” and to disclose whether telemetry referenced parties such as LinkedIn, OpenAI or specific advertising intermediaries. That demand for granular clarity set the scene for the cookie order: the regulator is now asking vendors to produce operationally meaningful, verifiable descriptions of what data flows exist and why.

---

Legal frame: why cookies and children matter under the GDPR​

Consent is not optional for non‑essential cookies​

Under EU law the deployment of cookies that are not strictly necessary for a service requires a lawful basis. For browser cookies used for tracking, analytics or advertising the typical lawful basis is informed, specific consent. When the data‑subjects are minors, GDPR and supervisory guidance impose additional duties: clear, age‑appropriate information, heightened safeguards and a conservative approach to any profiling or marketing uses. The DSB’s logic is straightforward: if a cookie can enable profiling or advertising, and that cookie is set on a child’s device without clear consent, the processing is unlawful.

Joint vs single controller responsibilities​

A persistent theme in the proceedings was Microsoft’s attempt to place the compliance burden on schools — i.e., “we provide tools to schools, the school is the data controller, so ask them.” The DSB rejected that binary framing in practice: where a vendor retains decisive control over product defaults, telemetry design and the flow of data to third parties, supervisory law can treat the vendor as carrying substantive responsibility. The regulator explicitly rejected a paper‑thin jurisdictional defence that tried to confine liability to Microsoft Ireland, concluding that relevant decision‑making rested with Microsoft in the United States for the contested processing. That reduces the effectiveness of a “pass‑the‑buck” compliance strategy for large vendors.

---

Technical detail: what “dual‑purpose” cookies mean for IT admins​

Modern web platforms and SaaS products generate a cornucopia of telemetry: session identifiers, device fingerprints, performance metrics and event logs. Vendors sometimes reuse the same identifiers across operational and analytical pipelines to simplify engineering. The DSB’s technical point is simple and enforceable: reuse that produces profiling or advertising outcomes cannot be treated as “strictly necessary” even if the same identifier also supports a service function.

• Dual‑purpose cookies create legal risk because one purpose (advertising/profiling) requires consent.
• Remedies include splitting identifiers so that strictly necessary cookies are separate from analytics cookies, and disabling optional telemetry by default in education tenants.

The practical cookie identifiers the regulator flagged — MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId and ai‑session — are mentioned in Microsoft documentation and telemetry inventories. Administrators should audit which cookies are actually set during normal classroom workflows (e.g., editing a browser‑based Word doc or participating in Teams), then map each cookie to a purpose and retention policy. That audit is the first step toward proving compliance or detecting unlawful tracking.

---

Microsoft’s position and next steps​

Microsoft’s public response — reproduced in mainstream reporting and in a corporate comment to The Register — is to reaffirm that “Microsoft 365 for Education meets all required data protection standards” and that educational institutions can continue to use the product in compliance with GDPR while the company reviews the decision and considers next steps. At the same time Microsoft is reported to be assessing whether to appeal or change product defaults and telemetry behaviours.
Practical options on the table for Microsoft include:

• Re‑engineering telemetry defaults for education tenants so that non‑essential cookies are disabled by default.
• Providing clearer, machine‑readable cookie inventories and admin controls that allow schools to toggle optional telemetry off.
• Challenging the DSB’s interpretation via administrative appeal and potentially escalating to higher courts if the company believes the decision misapplies GDPR law or jurisdictional rules.

Any appeal would buy time, but regulators elsewhere — and contracting school systems — will be watching closely. The DSB’s denial of the Irish jurisdiction argument removes one convenient procedural defence and could encourage other European DPAs to take a more interventionist stance.

---

What this means for schools, procurement teams and parents​

Immediate operational steps for school IT​

• Conduct a cookie and telemetry audit on school‑managed devices and school tenant configurations right away. Record which cookies are set in normal classroom use and whether any of them are non‑essential.
• Check administrative settings in the Microsoft 365 Education tenancy. Look for telemetry or diagnostic toggles that can be disabled for pupil accounts.
• Demand from the vendor a clear, itemized cookie inventory that maps cookie names to purpose, retention and third‑party recipients. Child‑appropriate explanations should be provided for parents and pupils.

For procurement and legal teams​

• Insist on contractual provisions that give the school both technical controls (to disable non‑essential telemetry) and verifiable audit rights (to confirm that vendor promises match deployed behaviour).
• Require change‑control and notification commitments so that any vendor default changes (for example a telemetry update pushed by Microsoft) cannot be rolled out to education tenants without explicit administrator approval.

For parents and guardians​

• Under the GDPR you (or your child) have the right to request access to personal data processed by cloud services used in school. If you suspect unlawful processing (for example tracking without consent), request a formal data processing description from the school and, if unsatisfied, consider lodging a complaint with your national DPA.

---

Technical and product remedies: what vendors should do next​

The DSB ruling makes clear that a purely legalistic, contract‑only approach will not pass muster. Vendors should proactively adopt the following measures if they want their education offerings to be demonstrably GDPR‑compatible:

• Default to privacy: disable non‑essential telemetry and analytics by default in education tenants. Make opt‑in explicit and auditable.
• Cookie separation: split identifiers so that strictly necessary cookies have distinct identifiers and lifetimes from analytics/advertising cookies.
• Admin transparency: provide a machine‑readable cookie inventory (mapping cookie names to functions and processors) and a one‑click export that schools can publish to parents.
• Child‑first communication: produce concise, age‑appropriate privacy notices so pupils and guardians can meaningfully consent where required.
• Third‑party mapping: be explicit about any data flows to external providers (advertisers, analytics vendors, AI model training pipelines) and the legal basis for those transfers. If the DSB’s prior ruling requested clarifications about whether data was sent to LinkedIn, OpenAI or advertising intermediaries, vendors must either demonstrate lawful bases or stop the transfers until lawful grounds are clear. Note that claims of third‑party transfers should be treated carefully unless the vendor or regulator provides evidence; where such transfers are alleged, regulators will want concrete logs and contracts.

---

Broader implications: advertising, AI training and the surveillance economy in classrooms​

This decision resonates beyond cookies. Cloud platforms increasingly reuse telemetry to improve product reliability and to feed analytics that can be monetized — including for ad targeting or to inform AI models. The DSB’s approach suggests a narrow path for vendors:

• Data used to profile or optimize advertising or to feed external AI training must have a lawful basis that is appropriate for minors.
• Default telemetry that helps product engineering is more likely to be lawful; telemetry used for profiling must be subject to stricter controls and consent.
• National authorities will increasingly interrogate what “improvement of core functionality” or “business modelling” actually means in practice rather than accepting high‑level corporate phrasing.

noyb and the DSB also pressed Microsoft for clarification about whether telemetry data ever ended up with third parties; that line of inquiry feeds into debates about whether large AI vendors can legitimately rely on production telemetry from education deployments to improve models or products without more explicit legal bases and transparency. At present there is no public, independently verified proof that education‑derived pupil data was used to train external models; the DSB has requested clarifications and Microsoft will be required to state the facts. That is an area where the regulator’s order demands further disclosure rather than making an unqualified factual finding. Readers should treat any claims about specific downstream uses (for example definitive use for OpenAI or LinkedIn) as allegations or questions that the DSB wants Microsoft to answer rather than established, adjudicated facts — until Microsoft or the regulator publishes conclusive evidence.

---

Legal and commercial risk for Microsoft and other vendors​

The DSB’s orders create immediate compliance and reputational risk. Potential downstream consequences include:

• Operational change costs: engineering work to separate telemetry channels and change defaults across millions of education tenants.
• Contractual exposure: procurement teams may demand remediation or refuse contracts that lack the required administrative controls.
• Regulatory follow‑up: if Microsoft fails to comply with the DSB’s required measures, national DPAs could levy administrative fines or issue broader corrective orders, and other EU DPAs might open parallel probes.

Microsoft’s realistic options are to change product behaviour quickly in the education context to eliminate disputed cookies, or to litigate/appeal the DSB’s interpretation — a move that might delay compliance but invites more regulatory attention across member states.

---

Practical checklist for Windows administrators in schools (quick, actionable)​

• Audit: run a cookie capture session on a fully patched, school‑managed Windows device while performing typical class tasks (Teams call, editing Word for the web, opening SharePoint links). Log cookie names and endpoints.
• Map: create a table mapping cookie names to purpose (authentication, session, telemetry, advertising).
• Disable: where possible, disable non‑essential telemetry at the tenant or policy level and ensure pupil accounts get the most restrictive default.
• Document: obtain from the vendor a formal cookie inventory and short, child‑friendly explanations you can share with parents.
• Notify: update privacy notices and consent flows to reflect actual telemetry and third‑party flows.
• Record: keep an evidence trail of remediation steps to show compliance if regulators ask.

---

Caveats, open questions and a word on verification​

This DSB decision is significant — but it is fact‑specific and tied to the particular configuration and telemetry footprints at the time of the complaint. The regulator has ordered disclosure and remediation for the complainant; it is not, at least in the public summaries, a pan‑European final judgment that automatically applies in identical form to every tenant everywhere. That said, the DSB’s refusal to accept a jurisdictional shell and its naming of specific cookies provide clear, replicable technical guidance for other supervisors and IT teams.
Readers should also note where claims remain unverified in public reporting. For example, references to specific downstream recipients such as LinkedIn, OpenAI or ad intermediaries are drawn from regulatory requests and telemetry logs referenced in the DSB’s proceedings, but public summaries do not yet provide full, itemized logs proving each transfer. The DSB has demanded clarification; those supplier‑to‑regulator disclosures will determine whether the most serious transfer allegations are proved or remain unresolved. Treat those aspects as pending confirmation rather than settled fact.

---

Final assessment: a practical turning point for student privacy — and a call to action​

The DSB’s order is a practical ruling with real consequences: it names cookie identifiers, rejects simplistic jurisdictional defences, and demands both remedial steps and clarity about data uses. For schools and education ministries this should be a wake‑up call — vendor defaults cannot be assumed compliant, and institutions must require verifiable, machine‑readable transparency and granular controls from suppliers.
For Microsoft and other large cloud vendors, the lesson is equally stark: product defaults and telemetry architectures matter legally, not just technically. If vendors intend their education offerings to be privacy‑safe, they must engineer privacy‑by‑default, provide auditable inventories, and treat children’s data with the conservative legal posture the GDPR demands.
This is not the end of the story. Microsoft can comply by adjusting defaults, or it can appeal — and other DPAs will be watching closely. In the meantime, school IT teams, procurement officers and parents should treat telemetry audits and vendor inventories as mandatory elements of responsible digital schooling. The DSB’s decision makes compliance an engineering task, a procurement requirement, and a legal obligation — and it underscores a simple truth: when children are involved, regulators expect more than corporate one‑liners about privacy being a priority.

---

Conclusion
The Austrian DSB’s finding that Microsoft 365 Education deployed non‑essential tracking cookies on a pupil’s device — and the subsequent order to stop that processing within a strict timeframe — is a consequential development for education IT. It converts abstract privacy obligations into a set of clear technical and contractual demands: separate operational and profiling telemetry, default non‑tracking for minors, and transparent, auditable inventories that schools and parents can rely on. For schools, the judgment raises immediate obligations to audit and document; for Microsoft and peers, it demands meaningful product change or a willingness to litigate. Either way, the ruling tightens the legal contours around cloud telemetry in classrooms and raises the bar for how vendors must design and disclose the invisible plumbing of modern digital education.

---

Source: Windows Central Microsoft caught tracking an Austrian minor's device via cookies