On Friday in the Northern District of California, consumers, including individuals and companies, filed a class action complaint against Microsoft which claimed the company shared consumer data without consent to subcontractors and third parties, including Facebook, despite policies that stated otherwise.
The plaintiffs accused Microsoft of “misrepresenting its privacy and security practices, violating federal and state law, and illegally sharing and using its business-class Microsoft Office 365 and Microsoft Exchange customers’ data.” Specifically, “[c]ontrary to Microsoft’s representation and without its customers’ consent, Microsoft shares its business customers’ contacts and related data with Facebook; shares the content of its business customers’ emails, documents, contacts, calendars, and other data with unauthorized third parties for unauthorized purposes; and uses its business customers’ data to develop new products and services to sell to others.” The plaintiffs argued that Microsoft claims to be transparent about its privacy and security practices, however, the described conduct contradicts the company’s claims.
For example, Microsoft transitioned its business customers to its cloud-based services, Office 365, claiming to consumers that their data would be secure and private by only sharing this information to provide the purchased services. Microsoft stated that it “will share their data with its subcontractors and certain others only on a need-to-know basis; and that it will never share the customer’s data with third parties at all.” However, the plaintiffs alleged that these “representations were false” because “Microsoft has regularly shared – and continues to share – its business customers’ data with Facebook and other third parties” in violation of its promise and policies to customers.
This information was allegedly shared without obtaining consumer consent. For instance, the complaint said Microsoft shared consumers’ contacts with Facebook. The plaintiffs claimed that this data sharing was not necessary for the purchased services, and, as a result, can harm consumers. Additionally, the complaint said Microsoft does not anonymize or obscure consumer data before sharing it. Microsoft allegedly shared this data for business development purposes. The plaintiffs claimed that Microsoft “has not fully and openly disclosed its data use and sharing practices to its business customers,” thus, it is not as transparent as it claims to be. Consequently, the plaintiffs asserted that Microsoft misled and misrepresented the security and privacy it was providing to its customers. The plaintiffs paid for their Microsoft business solutions, however, they alleged that they were misled and deceived as a result of Microsoft’s lack of disclosures and conduct. The plaintiffs said that they have been harmed by Microsoft’s conduct because of their reduced privacy and security.
Microsoft allegedly violated the Wiretap Act, Stored Communications Act, and Washington consumer protection and privacy laws for the aforementioned alleged conduct. The plaintiffs have sought injunctive and declaratory relief, restitution of profits unjustly obtained, recovery of payments for their Microsoft services, a cease and desist order, an award for damages and interest, and an award for costs and fees.
A Microsoft spokesperson said “We’re aware of the suit and will review it carefully. However, while the allegations themselves are not very specific, as we understand them we don’t believe they have merit. We have an established history of both robust privacy protections and transparency, and we’re confident that our use of customer data is consistent with the instructions of our customers and our contractual commitments.”
The plaintiffs are represented by Bailey & Glasser, LLP, and The Golan Firm PLLC.
This story has been updated to add a statement from Microsoft.