Website owners, even those operating simple sites that don’t proactively advertise, should be aware of an important change coming on May 5, 2025, which may impact how they handle visitor data.

Microsoft Advertising has announced that starting May 5, 2025, it will require all websites using its tracking tools to send a “consent signal” whenever someone from the European Union, United Kingdom, or Switzerland visits.

This move is part of Microsoft’s effort to align with global privacy laws like the EU’s General Data Protection Regulation (GDPR). Even websites based in the U.S. should take note, as tracking technologies from Microsoft, Google, and Meta are commonly used across a wide range of websites — whether or not those sites actively target users in Europe.

Background

When someone visits a website, analytics and marketing tools — such as Microsoft’s Universal Event Tracking (UET) tag, Google Analytics, or Meta’s Facebook Pixel — may collect data about the visit. These tools are often used to create personalized experiences or deliver ads later across the web, a practice known as cross-context behavioral advertising.

Under the GDPR, this kind of tracking requires prior consent. A website is legally obligated to obtain the user’s permission before placing or activating most tracking technologies. Microsoft’s new policy is a direct response to this: if a site includes Microsoft’s tracking code, it must now inform Microsoft whether a user has opted in to data collection. If no signal is provided, Microsoft may limit or block data collection entirely for visitors from those regions.

Why This Might Affect Even U.S.-Based Websites

Even websites and companies based in the U.S., with limited or no focus on European audiences, should take note of this change.

Although the California Consumer Privacy Act (CCPA) does not explicitly require opt-in consent for cookies or tracking technologies, the legal landscape in California is shifting — especially considering the recent rise in California Invasion of Privacy Act (CIPA) complaints. Plaintiffs are arguing — with some success — that the use of third-party tracking tools without affirmative user consent constitutes illegal wiretapping under CIPA.

As these claims gain traction in court, many privacy professionals are now advising U.S. businesses to treat third-party cookies similarly to how they would under GDPR, meaning: do not fire any cookies unless the user has opted in. Microsoft’s new Consent Mode reflects this privacy-forward model. Moreover, adopting similar practices across jurisdictions — not just in Europe — may help mitigate emerging legal risks in California and elsewhere.

What Is Microsoft “Consent Mode”?

To support compliance, Microsoft now offers a feature called Consent Mode. This tool allows Microsoft’s tracking tags to dynamically adjust based on whether the user has granted consent.

If the user agrees to tracking, Microsoft’s tag functions as usual. If the user declines, the tag modifies its behavior — either reducing or fully disabling data collection. Consent Mode acts as the bridge between a website and Microsoft’s backend systems, helping ensure data is only processed when it’s legally permitted.

However, Microsoft does not implement this automatically. It’s up to businesses to set up Consent Mode correctly and pass the appropriate consent signals through their website infrastructure.

Recommendations for Compliance

If a site doesn’t yet have a cookie consent solution in place, now is the time to act.

Businesses should start by implementing a Consent Management Platform (CMP). This is the software that displays a cookie banner, allows visitors to make informed choices, and prevents tracking until consent is granted. A well-configured CMP also sends consent signals to third-party tools like Microsoft, Google, and Meta.

Several CMPs are widely used and support compliance with both GDPR and CCPA. These tools typically allow sites to tailor experiences by region — for example, requiring opt-in in Europe, and offering a “Do Not Sell or Share My Personal Information” link for California and other U.S. state laws.

Once a CMP is in place, sites will need to configure tracking tags — including Microsoft’s UET tag — to respond appropriately. This often involves enabling Consent Mode and ensuring that tags only fire once consent is given. If you use a tag manager like Google Tag Manager, this can often be accomplished without major code changes.

As a final step, and as a crucial part of good privacy hygiene, companies should regularly review and update their Privacy Policies to explain how their sites collect, share, and use personal data. In addition, we recommend regularly testing privacy compliance tools and user interfaces to ensure they are functional, accurate, and fair. Specifically, users should find it just as easy to opt out of tracking as it is to opt in. Regulators — especially in California — are now scrutinizing this symmetry closely. Even one extra click to opt out may be considered a violation of state privacy laws.