Microsoft may collect health-related data (such as fitness information from apps or devices) and biometric data (such as voice patterns or facial recognition data used in features like Windows Hello).
Why it matters
Health and biometric data are among the most sensitive categories of personal information, and their collection by a major technology company creates significant privacy risks if misused or breached.
Collection and processing of biometric and health data triggers GDPR Art. 9 special category protections, state biometric privacy laws (Illinois BIPA, Texas, Washington), and may overlap with HIPAA if used in healthcare-adjacent contexts; compliance teams should confirm appropriate consent mechanisms and data minimisation controls are in place.
🔒
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.
Consumer impact
Microsoft collects extensive personal data — including location, voice recordings, typed content, browsing history, and health-related data — across its entire product ecosystem, and uses this data for personalised advertising, product improvement, and AI model training. Data may be shared with third-party partners, advertisers, and other Microsoft-affiliated companies, and some data may be retained even after account deletion. You can review, download, or delete your personal data by visiting account.microsoft.com/privacy and adjusting settings via the Microsoft Privacy Dashboard.
What you can do
⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
Delete Your Data
Visit the Microsoft Privacy Dashboard and select 'Health activity' to review and delete health data. For biometric data such as Windows Hello, go to Settings > Accounts > Sign-in options and remove stored biometric credentials.
Applicable agencies
Federal Trade Commission (ftc)
Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.
Who can file: Anyone affected by the company's practices (US or international)
What you need: Your account details, a timeline of relevant events, and a description of the specific issue
What to expect: Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation
Department Of Health & Human Services, Office For Civil Rights (hhs Ocr)
Enforces HIPAA Privacy and Security Rules, which protect health information held by healthcare providers, health plans, and their business associates.
Who can file: Anyone whose HIPAA rights may have been violated by a covered entity (healthcare provider, health plan, or healthcare clearinghouse)
What you need: Name of the entity, description of the violation, date of the incident, and your contact information. Must file within 180 days of the violation.
What to expect: HHS OCR investigates and may require the entity to take corrective action. Does not provide individual compensation. Serious violations can result in civil monetary penalties.