Supplier Privacy Toolkit

Privacy Statement Options

Updated: May 2014

When it comes time to develop the privacy statement for supplier-hosted sites, there are three options:
  1. You can publish a privacy statement directly on your own servers using the applicable Privacy Statement template provided in this toolkit.
  2. You can use the Microsoft Privacy Statement Publishing Tool (PrivPub) to update and publish a privacy statement.
  3. You can link to the privacy statement if approved to do so by the privacy manager supporting your Microsoft business client.

Option 1: Publish the Statement Yourself

If you want to publish the statement yourself, you will need to first customize the statement according to the directions.After you have completed customization, you are ready to publish the statement by using your usual web-publishing method. You will be responsible for staging the content and hosting it on your servers.

  • You are familiar with your publishing process, so no time is lost to learning a new tool.
  • You control all timing elements.
  • There are no localized versions of the template available in the toolkit. Therefore option 1 is not recommended if the privacy statement needs to be localized into other languages.
  • You miss out on saving overhead (such as hosting costs and technical problems) when PrivPub does the work to output your statement to a URL.
  • Customers miss out on the layered, modern design of the PrivPub privacy statements. For examples of the design style, see the Bing and Xbox statements

Option 2: Publish the Statement Through PrivPub

You also have the option to use PrivPub, the Privacy Statement Publishing Tool, to create your privacy statement. PrivPub is a free, web-based tool that allows you to efficiently create and publish statements that share a design style with the, Bing, and Xbox sites. The tool is free to use and publishes to a platform owned by If you choose this option, you’ll start by filling out an onboarding form. After you submit the form, you’ll receive instructions for next steps, including how to customize the privacy statement. Pros
  • PrivPub offers pre-localized versions of the privacy statement in several languages, so only the customized sections of the privacy statement (for example, how customers can access their information) need to be localized. Therefore option 2 is recommended if the privacy statement needs to be localized into other languages.
  • PrivPub provides a layered privacy statement that reflects the Microsoft modern design ethos.
  • You own the content, but Microsoft handles the technical details of publishing and maintaining the pages.
  • With PrivPub’s modular system, you can share modules across separate statements. This is especially useful if you need to publish multiple statements over time.
  • You must have corpnet access to use PrivPub.
  • PrivPub is easy to use but, like any new tool, will require some time to learn. The 30-minute live training is usually sufficient to instruct new users.
  • Microsoft controls two of the timing points: onboarding to the tool and moving the statement from the staging server to the live server. The service level agreement (SLA) for each task is two days, although both tasks are typically accomplished in one day. Using PrivPub is simple—one new user said that she staged her statement in only 15 minutes. However, if you need your statement online within 24 hours, self-publishing might be the better choice.

Option 3: Link to the Privacy Statement

The privacy statement is a general-purpose statement that can be leveraged by many different websites.  Before linking to this statement, teams must work with their privacy managers to ensure that their data practices align with the statement’s disclosures.

If the statement is found to be appropriate for a website’s use, the team must first onboard to the Privacy Response Center (PRC).  The PRC provides a first Point of Contact (POC) for customer privacy inquiries. Onboarding generally takes two business days and is required so that PRC agents can have a POC from the product team in case issues need to be escalated.

If approved by a Microsoft privacy manager to use this option, you must use the following forward link:


  • The implementation process is very easy. Simply fill out the onboarding form and use the forward link provided above.
  • The statement is already localized into several languages. The forward link automatically resolves to the privacy statement. 
  • The statement cannot be customized.  Therefore, if the data practices of the supplier-hosted site do not align to the existing statement, this option is not permitted.