Austria tells Microsoft to stop using tracking cookies in school software
Austria’s data protection authority ordered Microsoft to stop using non-essential tracking cookies in education software, citing lack of legal basis under GDPR. Here’s what parents and schools should know.
Copy link
By Torontoer Staff
Austria’s data protection authority has ordered Microsoft to stop using non-essential tracking cookies in its education software after finding the company lacked a legal basis to process students’ personal data. The decision, shared by privacy campaign group Noyb on January 21, follows complaints that tracking mechanisms were installed on pupils’ devices without proper consent.
The ruling is the latest enforcement action tied to the EU’s General Data Protection Regulation, and it has immediate implications for schools, parents and administrators who rely on Microsoft 365 for Education.
What the ruling says
The Austrian Data Protection Authority, known by the acronym DSB, concluded that Microsoft’s education software processed personal data without a valid legal basis. DSB ordered Microsoft to refrain, within four weeks, from placing cookies that are not technically necessary for the service to function. Cookies in question were being used to analyse behaviour for advertising and other purposes, and were installed on student devices without consent, according to the complaint filed by the European Centre for Digital Rights, Noyb.
Why this matters for parents and schools
Children have stronger data protection safeguards under EU rules. When software used in classrooms tracks pupils’ behaviour for analytics or advertising without a clear legal basis, that can violate privacy rights and expose schools to regulatory risk. Schools that adopt cloud-based educational tools must ensure configurations and vendor contracts meet data protection requirements, and that any data collection is proportionate and transparent.
- Non-essential cookies can collect browsing patterns and usage data that go beyond classroom needs.
- Consent is generally required for processing that is not strictly necessary for service delivery, and minors cannot provide valid consent in many jurisdictions.
- Regulators can order vendors to change practices and require schools to update contracts and settings to comply.
Tracking minors clearly isn’t privacy-friendly.
Felix Mikolasch, data protection lawyer at Noyb
Practical steps parents can take now
Parents can take several practical steps to protect children’s privacy at school and to press for stronger safeguards.
- Ask the school for its data protection and technology use policy. Request details on which services are used, what data is collected, how long it is retained and who has access.
- Request a copy of the school’s agreement or data processing addendum with software vendors. School administrators should be able to confirm whether vendors act as processors or controllers of student data.
- Submit a subject access request if you want to see what personal data is held about your child and how it is used.
- Ask whether the school has disabled non-essential cookies and third-party tracking in education platforms and browsers used on school devices.
- Encourage the school to appoint or consult a data protection officer to review vendor configurations and ensure compliance with applicable privacy laws.
- Teach older children basic privacy habits: signing out of school accounts after use, avoiding personal accounts on school devices, and using privacy settings in browsers and apps.
What Microsoft said and what comes next
A Microsoft spokesperson told AFP the company was reviewing the DSB decision and that Microsoft 365 for Education meets required data protection standards. Microsoft added that institutions in the education sector can continue to use the service in compliance with the EU regulation. Noyb began pressing similar claims after filing two complaints in 2024, and the organisation has launched dozens of legal cases under GDPR since 2018.
If Microsoft appeals or makes technical changes, schools should monitor vendor updates and instructions. Administrators may need to reconfigure settings, update privacy notices and consult legal counsel to remain compliant. Parents should expect ongoing attention from privacy authorities across Europe and from advocacy groups focused on safeguarding minors online.
How this affects Canadian families
Canadian schools that use international cloud services should treat this as a reminder to audit privacy practices. While Canada has its own privacy framework, provincial and federal laws protect student information and require reasonable safeguards. Parents can use the steps above when discussing digital safety with local school boards and trustees.
The Austrian ruling highlights a broader shift: regulators are scrutinizing educational technology setups more closely. Parents who want stronger protections should engage with their school boards, request transparency and insist that vendors adopt privacy-by-design configurations.
privacyeducationMicrosoftGDPRparenting
