Web Content grounding in M365 Copilot vs Microsoft Copilot(BCE)

Copper Contributor
Does commercial data protection apply to prompts and responses within Copilot for Microsoft 365 when web content is enabled? Does it get the same protections as Microsoft Copilot, formerly known as Bing Chat for Enterprise?  How is company data handled in this scenario?

I've tried to follow the trail of privacy, terms of use, etc for Bing Search services, but have come up empty with how the data is handled from the company's perspective.  All I see is in association to end user privacy.  This is a gap in documentation either from an omission standpoint or simplicity and explicit standpoint. It is certainly unclear to me.

Full transparency: I posted this in the Bing hub as well. 
2 Replies
Commercial data protection means that your prompts and the responses to and from Copilot are not going to be saved anywhere. They aren’t going to be used to train the model. As of the date of the recording, these are all of the licenses that will have this commercial data protection feature:

Microsoft 365 F1
Microsoft Office 365 E1, E1 Plus, E3, E5, F3
Microsoft 365 Business Basic
Microsoft 365 Apps for Enterprise
Microsoft 365 Apps for Business

Does it answer your question ?



Commercial Data Protection is only being shown to protect Microsoft Copilot, but not Microsoft Copilot for Microsoft 365.. aka M365 Copilot.


While M365 Copilot is Work focused(looking at data within your organization), the plugin for Web Content that can expose your prompts to the Bing Search API, does not seemingly safeguard your company data from being exposed in the same way as how Microsoft Copilot (formerly Bing Chat for Enterprise) does. At least the Bing Search API Legal page doesn't share the protections from my non-attorney read of it.


In https://www.microsoft.com/en-us/bing/apis/legal, Bing Search API Legal Information, Section 6, Data collection and privacy,
it states:

(a) Microsoft may collect information from you or End Users such as, but not limited to, an End User's IP address, requests, time of submissions and the results returned to the End User, in connection with transaction requests to the Services. All access to and use of the Services is subject to the data practices set forth in the then-current Privacy Statement, a current copy of which is available at https://privacy.microsoft.com/en-us/privacystatement. You are responsible for providing End Users with adequate notice of the privacy practices applicable to your Application.

(b) Your use of the Services is subject to the applicable terms set forth in the Online Services Terms available at available at https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx . Only the following sections of the Online Services Data Protection Addendum (also available at available at https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx) apply to the Services: Data Transfers, Use of Subcontractors, and How to Contact Microsoft. These sections do not apply to previews. The GDPR Terms (as defined in the Data Protection Addendum) do not apply to the Services.



With this, I am leaning towards the thought that we can't expect company data to be protected IF/WHEN using the Web Content plugin with Microsoft Copilot for Microsoft 365.