Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 05, 2026 · 5 min read

Microsoft Was Tracking School Children Through 365 Education—Austria Just Ordered It to Stop

Austria's data protection authority ruled that Microsoft illegally installed tracking cookies on students' devices through its education software. The decision could set a precedent for millions of children across Europe.

A school classroom with a laptop on a student desk showing a cookie consent notification, with translucent data particles floating from the screen

Tracking Cookies in the Classroom

In January 2026, the Austrian Data Protection Authority (DSB) ruled that Microsoft illegally installed tracking cookies on a student's device through Microsoft 365 Education, the software suite used by schools across Europe for classes, assignments, and communication.

According to noyb (European Center for Digital Rights), which filed the complaints in June 2024, Microsoft's own documentation confirms the cookies analyzed user behavior, collected browser data, and were used for advertising purposes.

The authority ordered Microsoft to cease tracking the student within four weeks. Because Microsoft 365 Education uses uniform terms and privacy documentation across Europe, noyb argues that children in all EU and EEA countries are exposed to the same violations.

What the Cookies Collected

The tracking cookies embedded in Microsoft 365 Education were not limited to functional purposes like keeping students logged in. They collected behavioral data about how students used the platform, including browsing patterns, device information, and usage analytics that fed into advertising systems.

This is particularly concerning because students using school mandated software have no real choice about whether to use it. A child cannot opt out of Microsoft Teams when their teacher assigns work through it. The power imbalance between a global technology company and a schoolchild makes meaningful consent impossible.

The DSB found that Microsoft violated GDPR provisions requiring lawful processing and transparent data collection. This was the second ruling against Microsoft by the same authority. In October 2025, the DSB had already found that Microsoft violated GDPR Article 15, the right of data access, in a separate complaint from noyb.

Microsoft Blames the Schools

Microsoft's defense has been to shift responsibility to individual schools, arguing that educational institutions are the data controllers and should manage cookie consent. But noyb points out that schools have no ability to control which cookies Microsoft deploys through its platform.

The tracking cookies are embedded in the platform itself, not added by schools. Teachers and administrators cannot selectively disable advertising cookies in Microsoft 365 Education. Blaming schools for Microsoft's own tracking infrastructure is, as noyb puts it, asking schools to take responsibility for code they did not write and cannot modify.

This defense has now failed twice before the Austrian authority. The precedent is significant because it establishes that cloud platform providers cannot outsource GDPR responsibility to the institutions that use their software.

Why This Matters Beyond Austria

Microsoft 365 Education is used by millions of students and teachers across Europe. The platform's terms of service and privacy documentation are standardized across countries. If the tracking cookies violate GDPR in Austria, they likely violate it everywhere the platform operates under the same terms.

Data protection authorities in other EU member states can reference the Austrian ruling when evaluating complaints about Microsoft's education software. This creates a ripple effect that could force Microsoft to overhaul how it handles tracking across its entire education product line.

The ruling also sends a broader signal to technology companies that provide software to schools. If you install tracking cookies on children's devices through mandated education software, the GDPR applies with full force, and the platform provider, not the school, bears responsibility.

The Tracking Pipeline From Classroom to Inbox

The same tracking technology Microsoft used on students' devices exists throughout the digital ecosystem. Cookies, tracking pixels, and behavioral analytics follow users from educational platforms to email inboxes to every website they visit.

When a student graduates and enters the workforce, the same tracking infrastructure follows them. Marketing emails use 1x1 tracking pixels to monitor when messages are opened, from which device, and at what location. Advertising networks use cookies to build behavioral profiles across websites.

If tracking children through school software violates their rights, tracking adults through their inbox without consent deserves the same scrutiny. Blocking tracking pixels wherever they appear is one of the few defenses individuals have against pervasive surveillance.