Consumer Health Data Privacy Policy (2024)

This notice supplements the Microsoft Privacy Statement and applies to personal data defined as “consumer health data”subject to the Washington State My Health My Data Act (MHMDA), the Nevada Health Data Privacy Act (NHDPA), or other applicable state consumer health privacy law.

Consumer Health Data We Collect

As described in thePersonal data we collect section of the privacy statement, the data we collect depends on the context of your interactions withMicrosoft and the choices you make (including your privacy settings), the products and features you use, your location,and applicable law. Because consumer health data is defined very broadly, many of the categories of data we collectcould also be considered consumer health data.

Examples of consumer health data may include:

• Information about your health-related conditions, symptoms, status, diagnoses, testing, or treatments (including surgeries,procedures, medications, or other interventions). For example, we may collect such information through surveys or othercommunication with you for research studies and improving product accessibility.
• Measurements of bodily functions, vital signs, or characteristics, including photographs, which may also be consideredbiometric information under the MHMDA, the NHDPA, or other applicable state consumer health privacy law.
• Precise location information that could reasonably indicate your attempt to acquire or receive health services or supplies.For example, if you use Bing maps to get directions to a health care provider, we may collect GPS, cell tower, andWi-Fi hotspot location data that could reveal health-related information.
• Information that could identify your attempt to seek health care services or information, including services that allowyou to assess, measure, improve, or learn about your or another person’s health. For example, we collect your Bingsearch queries, which may include queries concerning nutrition, wellness, fitness, medical conditions, or other health-relatedtopics.
• Other information that may be used to infer or derive data related to the above or other health information.

Sources of Consumer Health Data

As described further in thePersonal data we collect section of the privacy statement, we collect personal data (which may include consumer health data) directlyfrom you, from your interactions with our products and services, from third parties, and from publicly available sources.

Why We Collect and Use Consumer Health Data

We collect and use consumer health data for the purposes described in theHow we use personal data section of the privacy statement. Primarily, we collect and use consumer health data as reasonably necessaryto provide you with the products you have requested or authorized. This may include delivering and operating the productsand their features, personalization of certain product features, ensuring the secure and reliable operation of the productsand the systems that support them, troubleshooting and improving the products, and other essential business operationsthat support the provision of the products (such as analyzing our performance, meeting our legal obligations, developingour workforce, and conducting research and development).

We may use consumer health data for other purposes for which we give you choices and/or obtain your consent as required bylaw – for example, for advertising or marketing purposes. See theHow to access and control your personal data section of the privacy statement and the How to Exercise Your Rights section below for more details onthe controls and choices you may have.

Our Sharing of Consumer Health Data

We may share each of the categories of consumer health data described above for the purposes described in theReasons we share personal data section of the privacy statement. In particular, we may share personal data, including consumer healthdata, with your consent or as reasonably necessary to complete any transaction or provide any product you have requestedor authorized, as described above.

For example, we share your content with third parties when you tell us to do so, such as when you send an email to afriend, share photos and documents on OneDrive, or link accounts with another service. If you make a purchase, we willshare information about the transaction as necessary to process the payment, including protection against fraud. Andwe may disclose data when we believe that doing so is necessary to comply with applicable law or respond to valid legalprocess.

Third Parties With Which We Share Consumer Health Data

As necessary for the purposes described above, we share consumer health data with the following categories of third parties:

• Service providers. Vendors or agents (“processors”) working on our behalf may access consumer healthdata for the purposes described above. For example, companies we’ve hired to provide customer service support or assistin protecting and securing our systems and services may need access to data to provide those functions.
• Business partners. We may share consumer health data with other companies, for example, where youuse a service that is cobranded and jointly operated with another company, or where you use our services to interactwith another company.
• Financial institutions & payment processors. When you make a purchase or enter into a financialtransaction, we will disclose payment and transactional data to banks and other entities as necessary for payment processing,fraud prevention, credit risk reduction, analytics, or other related financial services.
• Parties to a corporate transaction. We may disclose consumer health data as part of a corporate transactionor proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or saleof all or a portion of our business or assets.
• Affiliates. We enable access to data across our subsidiaries, affiliates, and related companies, forexample, where we share common data systems or where access helps us to provide our services and operate our business.A full list of specific affiliates is availablehere.
• Government agencies. As described in our privacy statement and ourLaw Enforcement Requests Report, we disclose data to law enforcement or other government agencies when we believe doing so is necessaryto comply with applicable law or respond to valid legal process.
• Other third parties. In certain circ*mstances, it may be necessary to provide data to other thirdparties, for example, to comply with the law or to protect our rights or those of our customers.
• Other users and individuals. If you use our services to interact with other users of the service orother recipients of communications, we will share data, including consumer health data, as directed by you and yourinteractions.
• The public. You may select options available through our services to publicly display and disclosecertain information, such as your profile, demographic data, content and files, or geolocation data, which may includeconsumer health data.

How to Exercise Your Rights

If you are covered by the MHMDA, the NHDPA, or other applicable consumer health privacy law then you may have certain rights with respect to consumer health data, including rights to access, delete, or withdraw consentrelating to such data, subject to certain exceptions. You can request to exercise such rights using the various toolsand mechanisms described in the How to access and control your personal data section of the privacy statement. For example, depending on the product you use, you can access and makechoices about your data through product controls. You can also access and clear some of your data through theMicrosoft privacy dashboard. And if you want to access or control consumer health data processed by Microsoft that is not availablevia those tools or directly through the Microsoft products you use, you can always contact Microsoft at the contactinformation in theHow to contact us section or by using ourweb form.

If your request to exercise a right is denied, you may appeal that decision by contacting our privacy supportteam via ourweb form. If your appeal is unsuccessful, you can raise a concern or lodge a complaint with the Washington StateAttorney General atwww.atg.wa.gov/file-complaint, the Nevada State Attorney General at https://ag.nv.gov/complaints/file_complaint/, or other regulatory authority as applicable.