What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://account.microsoft.com/privacy', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': "Visit the Microsoft Privacy Dashboard and select 'Health activity' to review and delete health data. For biometric data such as Windows Hello, go to Settings > Accounts > Sign-in options and remove stored biometric credentials.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has enforcement authority over deceptive collection and handling of biometric and health data by consumer technology companies.', 'full_name': 'Federal Trade Commission (FTC)', 'description': 'Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.', 'who_can_file': "Anyone affected by the company's practices (US or international)", 'complaint_url': 'https://reportfraud.ftc.gov/', 'what_you_need': 'Your account details, a timeline of relevant events, and a description of the specific issue', 'what_to_expect': 'Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation'}, {'agency': 'HHS_OCR', 'reason': "Where health data intersects with HIPAA-covered contexts or Microsoft's Consumer Health Data Privacy Policy, HHS OCR may have jurisdiction.", 'full_name': 'Department of Health & Human Services, Office for Civil Rights (HHS OCR)', 'description': 'Enforces HIPAA Privacy and Security Rules, which protect health information held by healthcare providers, health plans, and their business associates.', 'who_can_file': 'Anyone whose HIPAA rights may have been violated by a covered entity (healthcare provider, health plan, or healthcare clearinghouse)', 'complaint_url': 'https://www.hhs.gov/ocr/complaints/index.html', 'what_you_need': 'Name of the entity, description of the violation, date of the incident, and your contact information. Must file within 180 days of the violation.', 'what_to_expect': 'HHS OCR investigates and may require the entity to take corrective action. Does not provide individual compensation. Serious violations can result in civil monetary penalties.'}

What is the severity of this clause?

ConductAtlas classifies this Collection of Health and Biometric Data clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Collection of Health and Biometric Data — Microsoft

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Microsoft Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Microsoft may collect health-related data (such as fitness information from apps or devices) and biometric data (such as voice patterns or facial recognition data used in features like Windows Hello).

ⓘ

This analysis describes what Microsoft's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Health and biometric data are among the most sensitive categories of personal information, and their collection by a major technology company creates significant privacy risks if misused or breached.

Recent Activity

This document changed recently

Medium Apr 19, 2026

The updated policy establishes additional grounds on which Microsoft may retain personal data. While the prior version tied retention to specific user expectations and available deletion controls, the revised language authorizes retention for 'operating our business, meeting our contractual and legal obligations, improving and developing our products and services, protecting the safety and security of our systems and customers, and resolving disputes.' This expands the stated purposes beyond transaction fulfillment and legal compliance. The updated policy directs users to product-specific documentation for retention details rather than providing explicit deletion procedures and timelines in the privacy statement itself.

View change record →

Medium Apr 1, 2026

The updated policy now grounds data retention in five broad business purposes: operating the business, meeting contractual and legal obligations, improving and developing products and services, protecting system and customer safety, and resolving disputes. Previously, the policy articulated specific criteria for determining retention periods, including customer expectations for retention until manual deletion, availability of automated deletion controls, and data sensitivity. The revised language removes these granular criteria and instead requires users to consult individual product documentation to understand when their specific data will be deleted. This shifts the burden of finding retention timelines from the main policy statement to separate product-specific documents.

View change record →

Medium Mar 13, 2026

The updated Privacy Statement removes previously stated language about additional rights available to European Economic Area users, narrowing the policy's explicit protections in that region. Simultaneously, the revised terms now explicitly authorize Microsoft to contact users via auto-dialer and prerecorded voice for marketing purposes, provided the user has consented to receive marketing communications to the phone number supplied. This establishes Microsoft's contractual permission to initiate automated marketing calls using artificial intelligence-generated voice technology where user consent to marketing contact has been given.

View change record →

Consumer impact (what this means for users)

Microsoft collects extensive personal data — including location, voice recordings, typed content, browsing history, and health-related data — across its entire product ecosystem, and uses this data for personalised advertising, product improvement, and AI model training. Data may be shared with third-party partners, advertisers, and other Microsoft-affiliated companies, and some data may be retained even after account deletion. You can review, download, or delete your personal data by visiting account.microsoft.com/privacy and adjusting settings via the Microsoft Privacy Dashboard.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Visit the Microsoft Privacy Dashboard and select 'Health activity' to review and delete health data. For biometric data such as Windows Hello, go to Settings > Accounts > Sign-in options and remove stored biometric credentials.

Cross-platform context

See how other platforms handle Collection of Health and Biometric Data and similar clauses.

Compare across platforms →

Monitoring

Microsoft has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

Collection and processing of biometric and health data triggers GDPR Art. 9 special category protections, state biometric privacy laws (Illinois BIPA, Texas, Washington), and may overlap with HIPAA if used in healthcare-adjacent contexts; compliance teams should confirm appropriate consent mechanisms and data minimisation controls are in place.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

Federal Trade Commission (ftc)

Oversees unfair or deceptive business practices and can investigate companies that mislead consumers about data collection, sharing, or use.

Who can file: Anyone affected by the company's practices (US or international)

What you need: Your account details, a timeline of relevant events, and a description of the specific issue

What to expect: Complaints inform FTC enforcement priorities and investigations but do not result in individual resolution or compensation

File a complaint →
Department Of Health & Human Services, Office For Civil Rights (hhs Ocr)

Enforces HIPAA Privacy and Security Rules, which protect health information held by healthcare providers, health plans, and their business associates.

Who can file: Anyone whose HIPAA rights may have been violated by a covered entity (healthcare provider, health plan, or healthcare clearinghouse)

What you need: Name of the entity, description of the violation, date of the incident, and your contact information. Must file within 180 days of the violation.

What to expect: HHS OCR investigates and may require the entity to take corrective action. Does not provide individual compensation. Serious violations can result in civil monetary penalties.

File a complaint →

Provision details

Document information

Document

Microsoft Privacy Statement (Legacy)

Entity

Microsoft

Document last updated

March 5, 2026

Tracking information

First tracked

March 6, 2026

Last verified

March 9, 2026

Record ID

CA-P-00001002

Document ID

CA-D-00001

Evidence Provenance

Source URL

https://www.microsoft.com/en-us/privacy/privacystatement

Wayback Machine

View archived versions →

Content hash (SHA-256)

b3c85aa6a19fc8ce1bad351ae60d82fbee162cdf439701bea9f0007ce7de8bc0

Analysis generated

March 6, 2026 20:13 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Microsoft
Document: Microsoft Privacy Statement (Legacy)
Record ID: CA-P-00001002
Captured: 2026-03-06 20:13:02 UTC
SHA-256: b3c85aa6a19fc8ce…
URL: https://conductatlas.com/platform/microsoft/microsoft-privacy-statement-legacy/collection-of-health-and-biometric-data/
Accessed: June 10, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

High

Other risks in this policy

AI and Copilot Data Use high
Targeted Advertising Using Personal Data medium
Children's Privacy and Parental Consent high
Data Retention After Account Deletion medium
Cross-Product and Third-Party Data Sharing high
Diagnostic and Telemetry Data Collection (Windows) medium

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Microsoft's Collection of Health and Biometric Data clause do?

Health and biometric data are among the most sensitive categories of personal information, and their collection by a major technology company creates significant privacy risks if misused or breached.

Is ConductAtlas affiliated with Microsoft?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Microsoft.