Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Microsoft Advertising (formerly Bing Ads) is Microsoft's digital advertising platform that enables conversion tracking and audience retargeting via the Universal Event Tracking (UET) tag. The UET tag sets cookies and sends behavioural data to Microsoft before any ad interaction occurs. Under GDPR and the ePrivacy Directive, the UET tag requires prior user consent because it deploys advertising cookies and transfers personal data to Microsoft Corporation in the United States for cross-site audience profiling.
Microsoft Advertising (formerly Bing Ads) is Microsoft's digital advertising platform enabling businesses to run pay-per-click ads on Bing, Yahoo, MSN, and partner networks. Conversion tracking and audience retargeting are implemented through the Universal Event Tracking (UET) tag, a JavaScript snippet embedded on the advertiser website. When a visitor lands on a website carrying the UET tag, the tag fires immediately, sets advertising cookies, and reports the visit to Microsoft advertising servers. This allows advertisers to measure campaign ROI, build retargeting audiences, and create lookalike audiences for new customer acquisition.
The UET tag sets cookies including MUID (a persistent Microsoft unique identifier valid for 13 months used for cross-site audience tracking), _uet (UET state and conversion tracking data valid for 180 days), and MR (a helper cookie used to refresh MUID). The tag collects the visitor IP address, browser fingerprint, pages visited, conversion events (such as purchases or form completions), and referral data. This data is combined with Microsoft's own network data to build advertising audience segments. MUID is a cross-site identifier, meaning Microsoft tracks visitor behaviour across all websites carrying UET tags and Microsoft advertising assets.
The UET tag sets advertising cookies and performs cross-site tracking from the moment a visitor loads the page. Under Article 5(3) of the ePrivacy Directive, prior informed consent is required for non-essential cookies. Under GDPR Article 6(1)(a), consent is the only valid legal basis for advertising profiling. Microsoft provides Microsoft Consent Mode, which allows advertisers to signal consent state to the UET tag and control whether full or limited data collection is performed based on visitor choices. Microsoft Consent Mode does not exempt the advertiser from obtaining valid consent before enabling personalised advertising features.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All UET tag data is processed by Microsoft Corporation, headquartered in Redmond, Washington, United States. Microsoft relies on the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) for transatlantic data transfers. Advertisers must ensure that a valid Data Processing Agreement is in place with Microsoft, disclose the US transfer in their privacy policy, and reference the applicable transfer mechanism. Microsoft's DPF certification covers Microsoft Advertising data flows and is publicly listed on the DPF programme website.
Microsoft Consent Mode allows advertisers to pass consent signals to the UET tag so that personalised advertising is disabled before consent and enabled after. This is analogous to Google Consent Mode v2 and should be integrated with a CMP that supports Microsoft Consent Mode. In the default denied state, the UET tag should fire without setting advertising cookies, collecting only aggregated and non-identifying signals. Full personalised tracking only activates once the visitor grants advertising consent. Advertisers must integrate a CMP that supports Microsoft Consent Mode signalling to take advantage of this compliance approach.
To use Microsoft Advertising in compliance with GDPR and ePrivacy: (1) Implement Microsoft Consent Mode via a compatible CMP to control UET tag behaviour based on visitor consent. (2) List all UET cookies in your cookie policy under the advertising category with accurate names, durations, and purposes. (3) Disclose the Microsoft data transfer and the applicable transfer mechanism (DPF or SCCs) in your privacy policy. (4) Ensure a Data Processing Agreement is signed with Microsoft as data processor. (5) Audit your retargeting audience lists to ensure they only contain data collected with valid consent. (6) Conduct a DPIA if you use customer match lists or combine UET data with CRM data for advanced audience targeting.
Websites using Microsoft Advertising must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for advertisers with significant EU traffic using Microsoft Advertising audience retargeting, particularly where UET-collected behavioural data is combined with CRM data for customer match campaigns. The scale of cross-site tracking and US data transfer constitutes high-risk processing under Art. 35 GDPR.
Sample consent text
We use Microsoft Advertising (Bing Ads) to measure the effectiveness of our advertising campaigns and to show you relevant ads on the Microsoft network. The UET tag uses cookies and collects data about your website visits. Data is processed by Microsoft Corporation in the United States. You can manage your advertising preferences below.
Third-party domains contacted
bat.bing.combingads.microsoft.comads.microsoft.comc.clarity.msCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| MUID | persistent | 13 months | Assigns a unique user identifier across Microsoft services for advertising and analytics purposes |
| _uet | persistent | 1 year | Used by Microsoft UET tag to record user actions for conversion tracking and remarketing audiences |
| MR | persistent | 7 days | Tracks whether the MUID cookie consent has been refreshed to maintain consistent user identification |
| _bat | persistent | 1 year | Stores batched Universal Event Tracking data for deferred transmission to Microsoft Advertising servers |
Microsoft Advertising places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. The Universal Event Tracking (UET) tag sets advertising cookies and performs cross-site audience tracking from the moment it fires on page load. Under the ePrivacy Directive, prior informed consent is required for non-essential advertising cookies. Under GDPR Article 6(1)(a), consent is the only valid legal basis for advertising profiling. The UET tag must not fire in personalised mode until the visitor has actively accepted advertising cookies.
The UET tag sets MUID (a persistent Microsoft unique identifier for cross-site audience tracking, 13 months), _uet (UET tag state and conversion tracking data, 180 days), MR (a helper cookie that controls MUID refresh, 7 days), and _bat (a session-level conversion tracking cookie, session duration). These cookies enable cross-site visitor identification, conversion attribution, and audience segment building for retargeting campaigns on the Microsoft Advertising network.
Consent under Article 6(1)(a) GDPR is the only valid legal basis for the UET tag advertising cookies, conversion tracking, and audience retargeting. Legitimate interest cannot justify cross-site tracking for advertising purposes. Microsoft provides Microsoft Consent Mode to allow advertisers to pass consent signals to the UET tag, enabling limited aggregated measurement without personalised tracking when consent has not been granted.
Yes. All UET tag data is processed by Microsoft Corporation in the United States. Microsoft relies on the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) for EU to US data transfers. You must ensure a Data Processing Agreement is signed with Microsoft, disclose the US transfer in your privacy policy, and verify Microsoft current DPF certification status on the official DPF programme website.
A DPIA is recommended for advertisers with significant EU traffic using UET-based audience retargeting, especially if you combine UET behavioural data with CRM data for customer match campaigns. The large-scale cross-site tracking by MUID across all websites carrying UET tags, combined with US data transfers, constitutes high-risk processing under Article 35 GDPR. Consult your DPO to assess whether a formal DPIA is required.
Implement Microsoft Consent Mode via a CMP that supports its signalling protocol. In the default denied state, configure the UET tag to fire without personalised cookies, collecting only aggregated signals. Enable full personalised tracking only after advertising consent is granted. Ensure your CMP sends the correct ad_storage and analytics_storage consent signals to the UET tag. Test the implementation to verify the tag respects consent state changes in real time.
Yes. Microsoft supports a server-side Conversions API (CAPI) that sends conversion events directly from your server to Microsoft without client-side cookies, reducing browser-level tracking. Microsoft Enhanced Conversions allows matching conversions using hashed customer data rather than cookies. For cookieless attribution, Microsoft Advertising also supports Modelled Conversions which estimates conversions using aggregate signals where cookie data is unavailable.
In your cookie policy, list each UET cookie (MUID, _uet, MR, _bat) with its name, category (advertising), duration, and purpose. In your privacy notice, describe the UET tag conversion tracking and audience retargeting activities, identify Microsoft Corporation as the data processor, state the legal basis (consent), and disclose the US data transfer with reference to DPF and SCCs. Reference your signed Data Processing Agreement and provide a link to Microsoft privacy statement.