Fitness trackers & health information – I’ve walked 6,000 steps, but who else knows it?

By: Kathryn Pajak

It was the middle of the night, I was walking back and forth through my apartment determined to get to 10,000 steps.  Sound familiar?  The new fitness trend of wearables has taken the millennial generation by storm (and basically all other generations at that).  But – what does this fitness tracker really track?  The GPS measures how far I’ve walked, but does it track where I was? Where is that information stored?  Can a court subpoena the information?

Fitness trackers have swept the world. A Pricewaterhouse Coopers study found that one in five American adults owns a wearable device, and the research firm Canalys reported that eight million activity-tracking bands were expected to ship in 2014.  Fitness trackers hold great promise for public health policy and personal wellness.  The main contenders in the market are Jawbone (site and privacy policy), Fitbit (site and privacy policy), and Garmin (site and privacy policy).  The challenge fitness tracker and mobile health apps face is striking a balance between collecting necessary information and protecting consumers’ privacy.  Fitness tracker manufacturers require consumer trust to sell their products; they know they cannot sell their products if their customers don’t have confidence that the manufacturers have reasonable privacy protections and data security in place.

What Information is Collected?

Companies Collect Personal Fitness Information (“PFI”) – PFI consists of various types of sensitive information such as a user’s heart rate, number of steps taken, activity levels, sleep quality and duration, and calories burned.  Not only do these devices collect PFI, but also they collect a large volume of it. Data gathered from fitness trackers likely has broader public health implications for researchers and policy makers.  For instance, at some point, such data could be as detailed as a doctor’s medical records, and such information could be shared with employers, insurers and financial professionals. The sale of the aggregate PFI data may ultimately implicate HIPAA thereby imploring lawmakers to update HIPAA or pass new legislation.  It could even fall under the reach of the Fair Credit Reporting Act if it is used to make employment or credit offers.

How is it Collected?

Sensors and Algorithms – Fitness trackers function by collecting information via sensors that measure motion, specifically the acceleration, frequency, duration, intensity and patterns of your movement.  The data collected is transformed into steps and activity.

Fitness Trackers Function on Sharing – When using fitness trackers, individuals voluntarily share their private information.  This directly contrasts traditional privacy concerns of third-party surveillance, because users of fitness trackers voluntarily record and transmit their lives in granular detail. Therefore the privacy issue at hand is not whether users are being recorded, but rather what happens to the data collected.  There seems to be a general lack of awareness from users on how much, and how potentially harmful, the data collected is. 

Who has Access?

It isn’t Clear Who has Access to the Information Collected – Naturally companies and fitness brands, which collect this information, have access.  However, recently, these companies have been selling the information to the highest bidder. 

What are the Potential Legal Issues?

Fitness Trackers are Under Attack in Europe – The laws in Europe are traditionally stricter on privacy than the laws in the United States.  In fact, recently the Norwegian Consumer Council accused health tracker manufactures of violating European law because the Council is concerned that none of the companies give users proper notice about changes in their terms, all of the wristbands collect more data than what is necessary to provide the service, none of the companies fully explain who they may share user data with, and none of the companies state how long they will retain user data.  The United States has traditionally been more relaxed on privacy.  Nevertheless, in Katz v. United States, the Supreme Court established that individuals are entitled to a reasonable expectation of privacy. 

Privacy Policies are Subject to Change - Most brands have clauses stated that the terms of the privacy policy are subject to change.  For instance, Garmin’s privacy policy states “We will provide notice to you if these changes are material and, where required by applicable law, we will obtain your consent.”  Therefore, users do not have the ability to effectively control how their fitness data is used and shared.  In the past, Fitbit has shared users data in aggregate and de-identified.  For instance, in 2015, Fitbit used fitness information to measure and track its users’ excitement throughout the Super Bowl by examining users’ heart rates and distributed this information.  While aggregated and de-identified, some analysts have been able to re-identify the supposedly anonymous data.

FDA will not regulate fitness trackers – The FDA will not regulate products intended for general wellness, such as tools for weight management, physical fitness, or mental acuity.  While the FDA will not regulate fitness trackers in that arena, they will regulate medical devices, i.e. technology that makes a medical claim to treat or diagnose a disease or condition.  The FDA made this decision to strike a balance between unnecessary government red tape for applications trying to promote healthful activities and protection of private health information.  General wellness tools will still have to pass the Medical Electronic Data Technology Enhancement for Consumer’s Health Act (“MEDTECH”).  In contrast, HIPAA regulates Private Health Information (“PHI”).  HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), protects against the improper disclosure of private health information.

Tell Me More!

Additional Sources – If you find this topic interesting, here are a few fun reads for more information!

1.      Smart Watches and Weak Privacy Rules, N.Y. TIMES (Sept. 15, 2014), http://www.nytimes.com/2014/09/16/opinion/smartwatches-and-weak-privacy-rules.html?_r=0

2.      James A. Martin, Pros and Cons of Using Fitness Trackers for Employee Wellness, CIO (Mar. 24, 2014), http://www.cio.com/article/2377723/it-strategy/pros-and-cons-of-using-fitness-trackers-for-employee-wellness.html  

3.      Sophie Charara, If You Own a Fitness Tracker, Chances Are It’s a Fitbit, WAREABLE (May 22, 2015), http://www.wareable.com/fitbit/fitness-tracker-sales-2015-fitbit-1169

4.      Joseph Bradley, When IoE Gets Personal: The Quantified Self Movement!, CISCO BLOG (Sept. 10, 2013), http://blogs.cisco.com/zzfeatured/when-ioe-gets-personal-the-quantified-self-movement/

5.      Al Sacco, Fitness Trackers Are Changing Online Privacy--and It’s Time to Pay Attention, TECH HIVE (Aug. 15, 2014), http://www.techhive.com/article/2465820/fitness-trackers-are-changing-online-privacy-and-its-time-to-pay-attention.html  

6.      Stuart Dredge, Why the Workplace of 2016 Could Echo Orwell’s 1984, THE GUARDIAN (Aug. 22, 2015), http://www.theguardian.com/technology/2015/aug/23/data-and-tracking-devices-in-the-workplace-amazon  

7.      Jack Smith IV, Fitbit Is Now Officially Profiting From Users’ Health Data, OBSERVER (Apr. 18, 2014), http://observer.com/2014/04/fitbit-is-now-officially-profiting-from-users-health-data/#ixzz2zdt0LO2w  

8.      Emma Hutchings, Fitbit Users’ Sexual Activity Found In Google Search Results, PSFK (July 4, 2011), http://www.psfk.com/2011/07/fitbit-users-sexual-activity-found-in-google-search-results.html

9.      Kate Crawford, When Fitbit Data Is the Expert Witness, THE ATLANTIC (Nov. 19, 2014), http://www.theatlantic.com/technology/archive/2014/11/when-fitbit-is-the-expert-witness/382936/

10.  Should Companies Profit by Selling Customers’ Data?, The Wall Street Journal, https://www.wsj.com/articles/SB10001424052702304410204579143981978505724

11.  WHY SHOULD WE CARE WHAT FITBIT SHARES?: A PROPOSED STATUTORY SOLUTION TO PROTECT SENSITIVE PERSONAL FITNESS INFORMATION by Michelle M. Christovich published in Winter 2016. 38 Hastings Comm. & Ent L.J. 91

12.  YOU SHOULD BE FREE TO TALK THE TALK AND WALK THE WALK: APPLYING RILEY V. CALIFORNIA TO SMART ACTIVITY TRACKERS, by Katharine Saphner published in April 2016. 100 Minn. L. Rev. 1689