Fitness and Personal Health Apps Could Pose Privacy Nightmare

Currently, fitness data gathered and stored by wearable fitness trackers, can potentially be sold to third parties, like employers, insurance providers, and other companies, without the users' knowledge or consent.

This article published with permission from The Burrill Report.

As more and more data is collected about an individual, the issue of privacy becomes more challenging. Personal health and fitness data gathered and stored by wearable fitness trackers such as FitBit and others, is so rich that an individual can be identified by their gait, says US Sen. Charles Schumer (D-NY).

He warns that such data can potentially be sold to third parties, like employers, insurance providers, and other companies, without the users’ knowledge or consent, potentially creating a privacy nightmare.

Fitness trackers gather information on how many steps a person takes per day, sleep patterns, calories burned, and GPS locations. Users often input private health information, such as blood pressure, weight, and more. The data is then uploaded for analysis and feedback for the user. There are currently no federal protections to prevent those developers from selling that data to a third party without the wearer's consent.

Schumer has urged the Federal Trade Commission to push for fitness device and app companies to provide a clear and obvious opportunity to “opt-out” before any personal health data is provided to third parties.

Americans have started wearing fitness trackers and bracelets to monitor and improve their health, which is a good goal. But there are insufficient federal protections in place to ensure that information submitted to and collected by these fitness trackers remains personal and private. Schumer drew contrast to Finnish company Polar Flow that is appropriately handling privacy by making it very clear in their terms and conditions that it will never sell personally identifiable data for advertising purposes.

In the letter to the FTC, Schumer said the federal government should investigate the vague policies used by many companies that make it impossible for health-conscious consumers to make an informed choice about privacy, and to clarify that it is an unfair or deceptive trade practice when a company fails to state clearly to consumers whether personal data may be sold to third parties for advertising or other purposes.

“Personal fitness bracelets and the data they collect on your health, sleep, and location, should be just that — personal,” Schumer says. “The fact that private health data — rich enough to identify the user's gait — is being gathered by applications like FitBit and can then be sold to third parties without the user’s consent is a true privacy nightmare. If companies of fitness devices have the ability to sell personal health data to insurers, employers and others, users should be alerted and given the opportunity to decline. The FTC should require fitness devices and app companies to adopt new privacy measures that will help conceal the identity of individuals and develop policies to protect consumer information in the event of a security breach.”

Currently, there are no federal laws that prevent developers from sharing personal health data with third parties. The FTC has openly voiced its concern about the selling of personal fitness data between companies, but has yet to take action to push application developers and other fitness monitoring companies to provide an opt-out opportunity.

In September 2013, the US Food and Drug Administration released guidelines on mobile medical applications to address privacy concerns. But these guidelines only apply to apps that are promoted for medical purposes, such as the diagnosis, cure, treatment, or prevention of a disease. Without a secure privacy policy or protection from HIPAA, users’ health information obtained via these trackers could be sold to insurers, mortgage lenders, or employers.

Schumer called on the FTC to help ensure companies clearly explain to users how their data is being used and allow consumers to opt-out of data sharing. Companies making fitness tracking devices should also adopt stronger policies that protect consumer information in the case of a breach. These measures will allow individuals to enjoy the many perks of their fitness devices without the increasing threats to their private health information, Schumer says.

Copyright 2014 Burrill & Company. For more life sciences news and information, visit The Burrill Report.