Additional Requirements for Supplier-Hosted Websites
Updated: May 2014
Privacy Statement Options
Each website requires a link to a Microsoft privacy statement, even if the IP address and other standard information sent by a browser are the only information collected. There are three options for linking to a privacy statement on a supplier-hosted site. Please work with the privacy manager supporting your business client to determine which option is appropriate.
The footer of each page of a vendor-hosted site must include the following information:
- A link to your Microsoft privacy statement with the following label: Privacy Statement
- Note: Alternatively, if your website is localized or marketed in the European Union (EU) or European Economic Area (EEA), use the label “Privacy and Cookies” instead of “Privacy Statement.”
- The Microsoft copyright notice: © [year] Microsoft Corporation. All rights reserved.
- The following notice: This site is hosted for Microsoft by [vendor name].
Collection of Personal Information
If the site you are hosting collects personal information, the site must be reviewed by the Microsoft privacy expert who supports your Microsoft client. Privacy requirements include, but are not limited to, the following:
- Use Secure Sockets Layer (SSL) on pages that collect personal information.
- Indicate which fields are required.
- Limit required fields to what is necessary to fulfill the primary purpose.
- Collect contact preferences for any secondary use of personal information. The privacy manager supporting your Microsoft client must approve the wording of the contact preferences.
- Import personal information into Microsoft systems, as applicable, within 10 business days (5 for Australia). The privacy manager supporting your Microsoft client must approve the upload process.
- Request a review from your business privacy contact if the website is intended for children under 13 or may be attractive to children under 13.
- Request a review from your business privacy contact if sensitive information, such as an individual's race, ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, financial information, or government-issued IDs, is collected.
- No vendor branding or links back to the vendor's own site are permitted.
- Provide a link to the site’s vendor-hosted privacy statement in the footer of all pages of the website.
- At all points of data collection, provide an additional link to the site’s vendor-hosted privacy statement.
Enhanced Notice Mechanism
If the website is localized or marketed in the European Union (EU) or European Economic Area (EEA), implement the Enhanced Notice Mechanism on the site. For more information, request a review from your Microsoft client’s privacy manager.
Use of Authentication
If the site you are hosting collects personal information, it may be necessary for the site to use an authentication method, such as a sign-in method with user name and password, to verify the user’s identity.When Authentication Is Required
The collection of personal information requires authentication in the following scenarios:
When Authentication Is Not Required
- When users need to be able to come back and access, view, and/or edit their personal information online.
- When personal information will be used for secondary purposes (for example, marketing), and users need to edit their privacy settings with respect to that secondary use.
The collection of personal information does NOT require authentication in the following scenarios:
- When personal information will be used for only a clearly defined primary purpose, such as:
- Email, phone, address used for one-time fulfillment (for example, sweepstakes)
- Requested contact by support
- Campaigns with limited duration
- Email used for only promotional purposes
- When there is no need to access personal information online.
Please refer to the Supplier Security & Privacy Assurance Program (SSPA) Data Protection Requirements for guidance on authentication methods.
Get Online Process
Prior to launch of the site, direct your Microsoft client to visit the Get Online Service Desk
to initiate the steps required to launch a new third-party hosted site.