Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Microsoft Dynamics 365 Commerce offers a scalable e-commerce solution designed to help merchants sell products and services online. Its feature set includes customizable storefronts, multi-currency support, automated tax calculations, and advanced shipping options. Microsoft Dynamics 365 Commerce integrates with leading payment gateways, marketing platforms, and fulfillment services. Built-in analytics and reporting tools help merchants track performance, optimize conversions, and make data-driven.
Microsoft Dynamics 365 Commerce is Microsoft''s omnichannel commerce platform combining online storefronts, in store point of sale, and call center capabilities. It runs on Microsoft Azure, uses Microsoft Entra ID (formerly Azure AD) for identity, integrates with the Power Platform for automation, and ships with Application Insights telemetry. Merchants use it to manage products, pricing, promotions, checkout, fulfillment, and customer profiles across all channels.
The platform processes identifiers, contact information, billing and shipping addresses, payment tokens, order history, cart contents, browsing behavior, device and IP data through Application Insights, and authentication events via Microsoft Entra ID. Customer Insights extensions enable behavioral profiling and segmentation. Optional Microsoft Clarity integration captures session recordings and heatmaps. Payment data flows through certified PCI DSS gateways.
Microsoft is a US headquartered controller processor. Personal data may be transferred to the United States and other Microsoft global facilities. Microsoft is self certified under the EU US Data Privacy Framework, the UK extension, and the Swiss US framework. Standard Contractual Clauses are included in the Microsoft Product Terms and Data Protection Addendum. Customers selecting an EU region benefit from the Microsoft EU Data Boundary commitment for core customer data, although some telemetry and identity flows may still cross borders.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Strictly necessary cookies and processing for cart, checkout, payment, security, and anti forgery rely on Article 6(1)(b) GDPR (contract) and Article 6(1)(f) (legitimate interest in fraud prevention). Analytics, personalization, behavioral profiling, marketing pixels, and Clarity session recordings require prior opt in consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive. Consent must be specific, informed, granular, and revocable.
Sign the Microsoft Data Protection Addendum, configure region and EU Data Boundary settings, gate Application Insights and Clarity behind a Consent Management Platform, map subprocessors, document retention for orders and telemetry, implement data subject request workflows using the Microsoft Privacy portal, and run a DPIA covering profiling, payment processing, and international transfers.
Main risks include profiling of shoppers, cross border transfers, dependency on Microsoft as a strategic processor, and PCI DSS scope for payment flows. Recommendations: enforce least privilege in Microsoft Entra ID, disable optional telemetry where not required, document the legitimate interest assessment for fraud tooling, keep customers informed through a clear privacy notice, and monitor advisories from CNIL, BfDI, and the AEPD on Microsoft cloud services.
Websites using Microsoft Dynamics 365 Commerce must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for Microsoft Dynamics 365 Commerce deployments. Key risks: large scale processing of customer purchase data, payment information (PCI DSS scope), behavioral profiling through Application Insights and personalization features, cross border transfers to the US, integration with marketing tools (Customer Insights, Clarity), and use of Microsoft Entra ID identity services. Document lawful basis per processing activity, map data flows including subprocessors, evaluate retention windows for order, telemetry, and profile data, and verify EU Data Boundary configuration where applicable.
Sample consent text
This site uses Microsoft Dynamics 365 Commerce to process your orders and improve your shopping experience. Strictly necessary cookies (cart, checkout, security, anti forgery) are always active. With your consent, we also enable analytics cookies (Application Insights, Microsoft Clarity) and personalization features that may involve transferring data to Microsoft in the United States under the EU US Data Privacy Framework and Standard Contractual Clauses. You can withdraw your consent at any time via the cookie preference center.
Third-party domains contacted
dynamics.comcommerce.dynamics.comlogin.microsoftonline.comdataverse.comapplicationinsights.azure.comclarity.msCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ai_user | first_party | 1 year | Application Insights anonymous user identifier for product telemetry, error tracking, and usage analytics. Requires consent. |
| ai_session | first_party | 30 minutes | Application Insights session identifier used to group telemetry events within a browsing session. Requires consent. |
| msal.session.state | first_party | Session | Microsoft Entra ID (MSAL) session state cookie used during sign in flows and to validate authentication exchanges. Strictly necessary. |
| msdyn365___RequestVerificationToken | first_party | Session | Anti forgery (anti CSRF) token issued by the Dynamics 365 Commerce storefront to protect form submissions. Strictly necessary. |
| msdyn365___cart | first_party | 30 days | Persists shopping cart contents across sessions for the current visitor or signed in customer. Strictly necessary for the e commerce contract. |
| msdyn365___locale | first_party | 1 year | Stores the visitor selected language and market so that the storefront renders the correct catalog, currency, and pricing. Strictly necessary. |
Microsoft Dynamics 365 Commerce uses cookies for user preferences — inform visitors with a consent banner.
Dynamics 365 Commerce sets first party cookies for cart, checkout, session, anti CSRF tokens, and locale. Application Insights adds analytics cookies (ai_user, ai_session). Microsoft Entra ID issues authentication cookies for signed in customers. Optional integrations such as Microsoft Clarity, advertising pixels, and Customer Insights may add further analytics, personalization, or marketing cookies.
Strictly necessary cookies (cart, checkout, payment, security, anti forgery) do not require consent. Analytics, behavioral profiling, personalization, Application Insights, Microsoft Clarity, and any marketing pixels require prior opt in consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy. Consent must be specific, informed, granular, and as easy to withdraw as to give.
Order processing, cart, checkout, payment, and fulfillment rely on Article 6(1)(b) GDPR (performance of the sales contract). Fraud prevention and core security rely on Article 6(1)(f) (legitimate interest). Analytics, profiling, personalization, marketing, and remarketing rely on Article 6(1)(a) (consent). Each processing activity should be mapped in the record of processing activities.
Yes. Microsoft is a US headquartered processor and data may flow to the United States and other Microsoft regions. Transfers are covered by the EU US Data Privacy Framework (Microsoft is certified), the UK extension, the Swiss US Framework, and Standard Contractual Clauses in the Microsoft DPA. Selecting an EU region activates the EU Data Boundary for core customer data, while some telemetry and identity flows may still cross borders.
A DPIA is strongly recommended. The platform involves large scale processing of customer and payment data, behavioral profiling via Application Insights and Customer Insights, optional Microsoft Clarity session recordings, integration with Microsoft Entra ID, and cross border transfers. These factors trigger several DPIA criteria in the EDPB guidelines and the national lists of CNIL, BfDI, and AEPD.
Sign the Microsoft DPA, choose an EU region with EU Data Boundary, gate Application Insights, Clarity, and marketing tags behind a Consent Management Platform, document subprocessors, set retention windows for orders and telemetry, implement data subject requests through the Microsoft Privacy portal, harden Microsoft Entra ID with least privilege and MFA, and run a DPIA.
Alternatives include Shopify, Adobe Commerce (Magento), SAP Commerce Cloud, Salesforce Commerce Cloud, Commerce Tools, and Sylius for European hosting. Each option has its own data flows, hosting locations, and consent considerations. EU based solutions or self hosted deployments can reduce third country transfer concerns but may shift compliance and security work to your team.
List each Dynamics 365 Commerce cookie with name, purpose, duration, and category (necessary, analytics, personalization, marketing). Document Microsoft as a processor, name relevant subprocessors, declare transfers to the United States under the EU US Data Privacy Framework and Standard Contractual Clauses, and link to the Microsoft Trust Center and DPA. Provide a granular opt in and a clear withdrawal mechanism.