Posted by: Kyle Sol Johnson
April 18, 2015
Wearable technology such as the new Apple Watch, Google Glass, and exercise tools like FitBit appear to be the next frontier in personal consumer tech. The $14 billion dollar industry is projected to quintuple over the next decade. The primary sector in this industry is the healthcare sector, and indeed, products that monitor everything from heart rate to weight to frequency and intensity of exercise stand to revolutionize the medical (and medical insurance) industries. However the same informatics which allow the technologies to be used for near-constant health monitoring comes at the expense of consumers’ privacy.
Many of the free apps and wearables that allow users to monitor health data also transmit said data, much of it personally identifiable and in many cases with no encryption whatsoever. This opens users up to a host of potential risks, included identity theft, minority profiling, stalking, and employer misuse. Moreover, the vast majority of free apps sell the user-generated information to interested third parties like healthcare providers, insurance companies, marketing firms, and even employers. Most apps claim that they won’t share personal information without consent, however they still sell the data, just with the names of users stripped from the rest of the information.
This data is already being used by employers seeking to reduce group insurance costs, and may soon be utilized to directly adjust insurance premiums based on the health of the insurance holder. Governments may also get in on the game, giving tax breaks for citizens who demonstrably maintain healthy lifestyles. There are other implications as well — in Canada FitBit data has already been used as evidence in a personal injury case.
HIPAA privacy regulations do not yet apply to this type of data because it is not shared with a doctor, hospital, or third party vendor (insurance). States may treat this data as Protected Health Information (PHI) in the future, but as with any state regulation it may not be uniformly or quickly adopted. Unlike in the UK, the US does not have a robust federal data protection law. Instead there is a patchwork field of state and federal law and agency guidelines. The FTC has, however, gone after companies over sharing geolocation data without notice and consent and failing to provide reasonable security measures.
In 2014 the Personal Data Protection and Breach Accountability Act and the Data Broker Accountability and Protection Act were introduced in the Senate. The former would have required companies to implement programs to ensure the privacy, security, and confidentiality of personally identifiable information. The later would have required data brokers to establish reasonable measures to maximize the accuracy of the information it collects as well as offering consumers the right to review the collected data. Further it would have required brokers to create opt-out options from the sharing of PII with marketing firms. Neither bill was enacted.
But wearable technology doesn’t simply pose privacy risks to consumers. Products like Google Glass can allow employees to surreptitiously record meetings to be used in legal proceedings. Scarier still to employers, such recording technology can be used to by employees to accidentally or purposefully record proprietary trade secrets or intellectual property. Once such information spreads to the internet it is difficult to contain, and, if it spreads far enough, obviates the trade secret protection.
The prospects of wearable technology catalyze the already growing need for comprehensive data protection reform. The federal government should move to make comprehensive data protection reforms without crippling the ability of states to take stricter requirement standards, particularly in the fields of health and geolocation data.