Microsoft · Microsoft Privacy Statement (Legacy)

Collection of Biometric and Health Data

High severity
Share 𝕏 Share in Share

What it is

Microsoft may collect biometric data (such as facial recognition or voice prints) and health-related information in certain products and services. This sensitive data is subject to additional protections but is still collected and processed.

Why it matters

Biometric and health data are among the most sensitive categories of personal information, and their collection by a major technology company carries significant privacy risks if misused or breached.

Institutional analysis (Compliance & legal intelligence)

Collection of biometric and special category health data triggers heightened obligations under GDPR Article 9, CCPA sensitive data provisions, and the Washington My Health MY Data Act, requiring explicit consent, Data Protection Impact Assessments, and restricted processing purposes.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Consumer impact

Microsoft collects extensive personal data across its products including search history, voice recordings, location data, browsing behaviour, and inferred interests, and uses this data for targeted advertising and product improvement. Users' data may be shared with affiliates, advertising partners, and other third parties, and sensitive data such as health and biometric information may also be collected in certain contexts. You can review, download, or delete your personal data by visiting Microsoft's Privacy Dashboard at account.microsoft.com/privacy.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Sign in to your Microsoft account, navigate to the Privacy Dashboard, and select the data category you wish to delete. Follow the prompts to submit a deletion request.

Applicable agencies

  • FTC
    The FTC has jurisdiction over unfair or deceptive practices in the collection and use of sensitive biometric and health data by consumer technology companies.
    File a complaint →
  • State AG
    Several state attorneys general enforce biometric privacy laws (e.g. Illinois BIPA, Washington My Health MY Data Act) relevant to Microsoft's collection of such data.
    File a complaint →

Provision details

Document information
Document
Microsoft Privacy Statement (Legacy)
Entity
Microsoft
Document last updated
March 5, 2026
Tracking information
First tracked
March 15, 2026
Last verified
March 15, 2026
Record ID
CA-P-00001000
Document ID
CA-D-00001
Evidence Provenance
Source URL
https://www.microsoft.com/en-us/privacy/privacystatement
Wayback Machine
View archived versions →
SHA-256
45f09bce08bba70d095c6310e3c8383cc7e2ee6d93fc0795641bd50132df016b
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Microsoft | Document: Microsoft Privacy Statement (Legacy) | Record: CA-P-00001000
Captured: 2026-03-15 11:31:06 UTC | SHA-256: 45f09bce08bba70d…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/collection-of-biometric-and-health-data/
Accessed: April 4, 2026
Classification
Severity
High
Categories
Privacy Consent Data sharing Surveillance

Other provisions in this document