The “Age of Wearables” is in full swing. The “Swiss knife” capabilities of today’s personal connected devices have helped propel a global explosion in the popularity of fitness trackers and smartwatches. Research firm Gartner recently predicted that worldwide spending on wearable devices will total $81.5 billion in 2021, an 18.1% increase from $69 billion in 2020.
These IoT devices, most of which started as simple fitness trackers to measure the number of steps an individual took per day, have advanced beyond our wildest imaginations. Last September’s introduction of the Apple Watch Series 6, for example, broke new ground with its ability to measure the blood oxygen saturation level – an especially timely and useful function during the COVID-19 pandemic.
While wearables are not considered true healthcare devices, they do collect substantial personal information, including highly sensitive health-related details. This could present perilous data privacy issues for consumers who may not know whether their personal information and health details are safe and secure.
The wearable data privacy basics
Because of the risks associated with the intentional – or unintentional – sharing of private consumer data, consumers should fully understand the following privacy implications before investing in wearable devices:
- Data collected via a smartwatch or wearable is not regulated (yet). Until Congress passes a comprehensive federal data privacy law that includes wearables, the FTC is charged with enforcing the mish-mash of laws currently in the books. Although some states have stepped up to address medical or health data to fill the gaps, without clear national guidance, it’s still “buyer beware.”
- HIPPA regulations don’t protect your wearable data. Established in 1996, HIPAA is the most far-reaching health law in the United States to date. However, HIPAA is limited in scope. Its regulations only apply to information created, received or maintained by or on behalf of healthcare providers and health plans. Therefore, any consumer data created by or uploaded to a smartphone app or a wearable device does not fall under HIPAA rules. In fact, to avoid HIPAA oversight, many wearables label themselves as wellness tools in their privacy policies or terms and conditions.
- Personal data could be used for marketing purposes. Wearables and wellness apps collect data about consumers in much the same way as social media platforms. In other words, device manufacturers are sitting on a treasure trove of consumer health data. Yes, sometimes the collection of this data may seem innocuous if it’s only used to improve products. It’s possible, however, that unless explicitly stated, the data could be sold for advertising or marketing purposes. Consumers must keep in mind that until wearable manufacturers adopt health data collection, data privacy and security policies to protect personal data that falls outside the bounds of state and federal regulations, consumer privacy is not guaranteed.
Take privacy precautions before handing over a wearable
As smartwatches and fitness trackers grow more advanced, a growing number of consumers will look to upgrade and trade in or sell their used devices on third-party sites and apps such as eBay, Craigslist, Facebook Marketplace or OfferUp. Wearable owners should be aware that selling devices on these sorts of marketplaces or even directly to another individual risks putting personal data in the wrong hands.
Therefore, the onus is on device owners to make sure they take two important steps to do all they can to safeguard their own personal data before handing over no-longer-wanted wearables:
- Disconnect the device from linked accounts and other devices, such as smartphones. Consumer data on wearables that have not been unpaired from other devices or websites can be easily reloaded from those linked devices or accounts, even after a factory reset.
- Reset the smartwatch or fitness tracker to factory settings. A reset should be enough protection to render any data remaining on the device inaccessible. However, this only works if the wearable is unpaired from other devices and accounts. If this is not done, a “bad actor” could easily retrieve residual data.
It’s easy to get complacent about personal data, especially in an era of “oversharing.” We discovered this firsthand in 2019 when we wanted to determine how many used SSD and HDD computer hard drives being sold on eBay still contained personal data. Our study found that of the 159 drives we purchased, 42% contained sensitive data and 15% contained Personally Identifiable Information (PII). One of the drives even included scanned images of family passports, birth certificates, CVs and financial records.
While it’s entirely feasible that data privacy is not top of mind for consumers seeking a smartwatch that will help them to live a healthier lifestyle, they at least should understand wearable-related data privacy risks. Having this knowledge will allow them to make informed decisions about what they choose to share and the actions they take before selling their used device. In a world where our personal data is highly valuable to hackers, the responsibility to protect personal health details, prevent the sale of personal information on the dark web and lower the risk of identity theft truly belongs to the wearable user.