Are activity trackers a 'privacy nightmare'?

Earlier this week, Sen. Charles Schumer (D-N.Y.) made some headlines by calling out FitBit and other activity trackers for collecting user data that “can potentially be sold to third parties, such as employers, insurance providers, and other companies, without the users’ knowledge or consent.” Activity trackers and some smart watches collect user information such as height, weight, sex, age, location, activities, diet, and sleep patterns. The information is used to analyze activity and keep a history for consumers.

FitBit responded to Schumer that its privacy policy prohibits it from selling user data (and its website backs up that statement). Its online privacy policy does say that it may share “aggregated, de-identified data.”

We reached out to FitBit for a comment. A company representative said: "We support companies getting user consent before they sell any personal data. It has always been our policy not to sell user data. We have never sold personal data and we do not share personal data unless a user specifically directs us to do so, or under the limited exceptions described in our privacy policy. We are committed to our users' privacy in our policies and our practices."

Maybe FitBit wasn't the ideal company to single out, but Schumer correctly stated that there are currently “no federal laws that prevent developers from sharing personal health data with third parties.” He said that the FDA has released health information privacy guidelines on medical apps, but he said that fitness apps don’t fall under those privacy protections.

We spoke to Julia Horwitz, Consumer Protection Counsel at Electronic Privacy Information Center, to try to sort out some of these assertions. As to the question of whether fitness-tracker companies can actually sell or share customer data with impunity, she replied that it’s currently a question of interpretation. If a consumer’s data could be used to identify him or her, the data may actually be protected by those FDA guidelines Schumer mentioned. “There is confusion." she said. "People are looking to federal regulators to help them figure out whether their data is protected."

For more tips and advice, check our guide to Internet security.

How worried should you be?

There's no doubt that the advent of Internet-connected smart devices, including wearable tech products such as activity trackers, smart watches, Google Glass, and more, has ushered in new privacy and security concerns. Fitness-tracker users might wonder why any third party would care how many steps they took that day. But again, you may also give the device data such as your weight, age, and sex. If a marketer was able to buy that information, you could become the direct target of unsavory ads—say, diet pills, black-market Viagra, or worse. Or, in a scenario Schumer pointed out, your data could potentially be sold to employers or insurance providers. And some devices track your location and daily schedule; those are things no one but you needs to know about.

Not only do consumers need to think about the potential for companies to sell or share data they’d rather keep private but they should also think about how well the wireless transmission and storage of such data is protected, so thieves can’t intercept it. “We’ve seen some large data breaches recently," Horwitz said. "If this data is not being properly stored, it could be hacked.”

She also pointed out that makers of activity trackers and other such devices should have an interest in being transparent about how they use and protect your data. If their policies are murky and mysterious, a potential customer may decide to buy from a rival whose policies are clear and up-front.

While it seems the law has not kept up with new technology in terms of protecting consumer privacy and security, you can take some steps to protect yourself.

  • Check out the privacy policy, especially regarding the sale or sharing of your data, of the manufacturer of any device you’re using to transmit or store personal information. (Googling the company name and the term “privacy policy” usually works well.)
  • Find out how well protected your data is while being transmitted or stored. Is it stored locally on your device or in the cloud? Is it encrypted for transmission?
  • Never use unsecured networks (such as public Wi-Fi) to send personal information—no matter what kind of device you’re using.

—Carol Mangis

Copyright © 2005-2014 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.