Additional Requirements for Vendor-Hosted Websites
Updated: May 2013
Privacy Statement Templates
Each website requires a link to a Microsoft privacy statement, even if the IP address and other standard information sent by a browser are the only information collected.
The footer of each page of a vendor-hosted site must include the following information:
- A link to your Microsoft privacy statement with the following label: Privacy Statement
- Note: Alternatively, if your website is localized or marketed in the European Union (EU) or European Economic Area (EEA), use the label “Privacy and Cookies” instead of “Privacy Statement.”
- The Microsoft copyright notice: © [year] Microsoft Corporation. All rights reserved.
- The following notice: This site is hosted for Microsoft by [vendor name].
Collection of Personal Information
If the site you are hosting collects personal information, the site must be reviewed by the Microsoft privacy expert who supports your Microsoft client. Privacy requirements include, but are not limited to, the following:
- Use Secure Sockets Layer (SSL) on pages that collect personal information.
- Indicate which fields are required.
- Limit required fields to what is necessary to fulfill the primary purpose.
- Collect contact preferences for any secondary use of personal information. The privacy manager supporting your Microsoft client must approve the wording of the contact preferences.
- Import personal information into Microsoft systems, as applicable, within 10 business days (5 for Australia). The privacy manager supporting your Microsoft client must approve the upload process.
- Request a review from your business privacy contact if the website is intended for children under 13 or may be attractive to children under 13.
- Request a review from your business privacy contact if sensitive information, such as an individual's race, ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, financial information, or government-issued IDs, is collected.
- No vendor branding or links back to the vendor's own site are permitted.
- Provide a link to the site’s vendor-hosted privacy statement in the footer of all pages of the website.
- At all points of data collection, provide an additional link to the site’s vendor-hosted privacy statement.
Enhanced Notice Mechanism
If the website is localized or marketed in the European Union (EU) or European Economic Area (EEA), implement the Enhanced Notice Mechanism on the site. For more information, request a review from your Microsoft client’s privacy manager.
Use of Authentication
If the site you are hosting collects personal information, it may be necessary for the site to use an authentication method, such as a sign-in method with user name and password, to verify the user’s identity.When Authentication Is Required
The collection of personal information requires authentication in the following scenarios:
When Authentication Is Not Required
- When users need to be able to come back and access, view, and/or edit their personal information online.
- When personal information will be used for secondary purposes (for example, marketing), and users need to edit their privacy settings with respect to that secondary use.
The collection of personal information does NOT require authentication in the following scenarios:
Approved Authentication Methods
- When personal information will be used for only a clearly defined primary purpose, such as:
- Email, phone, address used for one-time fulfillment (for example, sweepstakes)
- Requested contact by support
- Campaigns with limited duration
- Email used for only promotional purposes
- When there is no need to access personal information online.
- All authentication methods must be security-approved by Microsoft. Vendors may not create a customized authentication method without security approval from Microsoft.
- Security-approved authentication methods include using the Microsoft account and any sign-in method available through Windows Azure Active Directory Access Control Service (ACS). Check with the privacy manager supporting your Microsoft client to find out if there are any additional options approved for that business.
Get Online Process
Prior to launch of the site, direct your Microsoft client to visit the Get Online Service Desk
to initiate the steps required to launch a new third-party hosted site.