Microsoft Advertising (Bing Ads) and Data Protection – What Website Operators Need to Know

If a website operator uses Microsoft Advertising (formerly Bing Ads) for conversion measurement and audience tracking, it processes user and interaction data for the purpose of advertising campaign measurement and audience targeting on the basis of consent and/or legitimate interests. Unlike Meta Pixel or LinkedIn Insight Tag, Microsoft Advertising acts as a processor within the meaning of GDPR Art. 28, not as a joint controller. The website operator is the sole controller. This simplifies the legal structure but sets new requirements for the privacy policy and the Data Processing Agreement (DPA). This guide explains Microsoft's role, the data processing and the requirements for transparency and compliance. As of: 2026-04-22.

A. Purpose and Function of Microsoft Advertising

Microsoft Advertising is the advertising and tracking platform from Microsoft, based on the Bing search engine ecosystem and Microsoft partner sites. Website operators can use Microsoft Advertising to:

1. Conversion tracking: The UET tag (Universal Event Tracking) is embedded into the website and records conversion events (e.g. product purchase, lead form completion, download). This enables the website operator to measure the performance of Microsoft Ads campaigns.

2. Audience creation and remarketing: Microsoft creates digital target groups (audiences) from the collected website visitor data, which are used for remarketing campaigns in Bing, Microsoft partner sites (e.g. Yahoo) or the Microsoft Audience Network.

3. Demographic and interest targeting: Based on the collected data and Microsoft's user profiling, Microsoft creates target groups according to demographic characteristics (age, gender, income) and interests in order to deliver ads precisely.

Integrations: Microsoft Advertising can be integrated with Google Tag Manager and other tag management systems (UET tag in GTM code, event tracking via API).

Difference from Facebook/LinkedIn: Unlike Meta Pixel and LinkedIn Insight Tag, Microsoft Advertising is a pure processor solution. Microsoft processes data on behalf of the website operator, not as an independent controller. This is more clearly regulated legally and requires a formal Data Processing Agreement (DPA).

B. Mandatory Disclosures in the Privacy Policy regarding Microsoft Advertising

According to GDPR Art. 13(1) and Art. 14, website operators must provide the following information when using Microsoft Advertising:

• Purposes of the processing (Art. 13(1)(c))
• Legal bases (Art. 13(1)(d))
• Legitimate interests, where this is the basis (Art. 13(1)(d))
• Categories of recipients (Art. 13(1)(e)) – here: Microsoft Ireland Operations Limited as processor
• Third-country transfers and safeguards (Art. 13(1)(f))
• Retention period or criteria for determining it (Art. 13(2)(a))

A central element is the clear designation of Microsoft as a processor. This differs fundamentally from joint controller scenarios: the website operator bears full data protection responsibility.

Better approach: A centrally explained chapter on purposes and legal bases, a recipient table that identifies Microsoft as a processor, and a reference to the availability of the DPA.

C. Provider of Microsoft Advertising: Microsoft Ireland Operations Limited

Legal basis:

• Full name: Microsoft Ireland Operations Limited
• Address: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
• Country of registered office: Ireland (European Economic Area)
• Parent company: Microsoft Corporation (USA)
• Role: Processor within the meaning of GDPR Art. 28, not controller

Data Privacy Framework (DPF): Microsoft Corporation is DPF-certified. This means that data transfers from the EU to the USA are permissible on the basis of an adequacy decision (Art. 45 GDPR), provided that the data recipient is actually DPF-certified. This is to be checked by the website operator.

Privacy policy: https://privacy.microsoft.com/de-de/privacystatement

Data Processing Agreement (DPA): Microsoft provides a standard data processing agreement. This is generally available in the Microsoft Ads account settings or via a request form. The DPA governs Microsoft's technical and organizational measures as a processor and is a mandatory prerequisite for GDPR-compliant use.

URL to the DPA: The exact link is to be checked by the website operator (typically at https://about.ads.microsoft.com/resources/ or directly in the account dashboard).

D. Data Processing by Microsoft Advertising – Process

E. Data Collected when Using Microsoft Advertising

Microsoft Advertising collects website and visitor data:

This data can be classified into the following standardized data type categories:

• Web server log data: IP address, HTTP headers, request timestamp, user agent (browser, operating system, device type), geographical localization (based on IP)
• Click paths: Visited website pages, referrer URLs, clicked links and buttons, scroll behavior, dwell times on individual pages
• End-device data: Device type (desktop, tablet, mobile), screen resolution, operating system version, network type (Wi-Fi, mobile), hardware features
• Browser information: Browser name, browser version, cookies (UET cookie, third-party cookies), local storage, tracking IDs (e.g. MSIDA for Microsoft Identity)
• Conversion events: Product purchase, lead form completion, registration, download, video view, add-to-cart with associated metadata (product name, price, category, order value)
• Profile data: (With data-driven targeting) Hashed or anonymized customer data from CRM systems (email, phone, name, customer segment), if uploaded by the website operator
• Tracking identifiers: Microsoft UET cookie, user IDs, advertising IDs (e.g. GAID for Android, IDFA for iOS), hashed email addresses

F. Purposes of Use when Using Microsoft Advertising

Microsoft states that advertising data is processed for the following purposes:

• Conversion tracking: Measurement and attribution of conversions to specific ads or keywords
• Campaign performance reporting: Provision of detailed campaign evaluations to the website operator
• Audience creation and management: Segmentation of website visitors for remarketing and audience targeting
• Algorithm optimization: Improvement of machine learning models for better bid management and audience matching
• Attribution modeling: Multi-channel attribution to understand which touchpoints lead to conversions
• Security and abuse detection: Identification of suspicious activities and fraud prevention
• Possibly Microsoft's internal business purposes: Depending on the DPA configuration; usually only with explicit consent

G. Legal Bases for Microsoft Advertising

Legal basis depends on the purpose of use:

1. Conversion tracking and remarketing (marketing tags): Consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG is typically required. The user must explicitly consent to tracking tags recording their behavior and data being transferred to Microsoft.

2. Functionally required use (e.g. conversion attribution for own optimization): Legitimate interests of the website operator (Art. 6(1)(f) GDPR) may, under certain circumstances, be a basis: optimization of the operator's own website performance, campaign success analysis. This requires a balancing of interests and is to be examined on a case-by-case basis.

3. Data transfer to the USA: With DPF certification: Art. 45 GDPR (adequacy decision). Without DPF: Art. 46 GDPR (Standard Contractual Clauses) or other appropriate safeguards.

Practical approach: The safest way is to classify it as a marketing tag that requires explicit consent. This avoids complex balancing of interests and is transparent for users.

H. Special Features and Notes regarding Microsoft Advertising

1. Processor status is clear Unlike Meta Pixel or LinkedIn Insight Tag, Microsoft Advertising is a clear processor constellation. Microsoft processes data on behalf of the website operator. This simplifies the legal structure and sets less complex requirements for the privacy policy.

2. Data Processing Agreement (DPA) is mandatory A formally signed or accepted DPA is a mandatory prerequisite for GDPR-compliant use. The website operator must retrieve and retain it. The DPA should be mentioned in the privacy policy.

3. UET tag and Google Tag Manager integration The Microsoft UET tag can be loaded via Google Tag Manager. The website operator should ensure that the tag is only loaded AFTER consent (e.g. via cookie banner).

4. DPF certification Microsoft Corporation is DPF-certified. This enables data transfers to the USA on the basis of an adequacy decision. However, regular review of the DPF status is recommended, as it may change.

5. Sub-processors and their transparency The DPA should contain a list of approved sub-processors. The website operator has the right to be informed of changes to sub-processors and to object to them (opt-out right).

6. Data transfer to the USA and DPIA A DPIA (data protection impact assessment) is recommended, especially with large data volumes or sensitive data. The DPIA should document the transfer mechanisms (DPF, SCCs) and safeguards.

7. Opt-out and user control Microsoft offers users limited opt-out options:

• Deactivation of interest-based ads in account settings
• Users can manage advertising preferences at https://account.microsoft.com/privacy
• However, complete opt-out only works through consent (consent can be withdrawn)

I. FAQ regarding Microsoft Advertising

J. Conclusion and Recommendation regarding Microsoft Advertising

Microsoft Advertising is a specialized advertising platform for conversion tracking and audience management, with a clear processor role. This is more transparent in data protection terms than joint controller scenarios such as Meta Pixel or LinkedIn Insight Tag.

The decisive point is the availability and use of a formal Data Processing Agreement (DPA). Without a DPA, use is not GDPR-compliant. The website operator bears full responsibility for compliance with data protection requirements.

A privacy policy for Microsoft Advertising does not have to be in a separate paragraph but can be integrated: with a clear naming of Microsoft as a processor, indication of purposes, legal bases and retention period, as well as a reference to the existing DPA.