Uncategorized

Who Owns Your FitBit Data? Biometric Data Privacy Problems

The following blog post is adapted from a talk the author gave at the “Data Privacy in the Digital Age” symposium on October 26th sponsored by the U.S. Department of Health and Human Services.

Today, I’ll be focusing on the data privacy issues posed by sports wearables, which I define to include both elite systems such as WHOOP or Catapult and more consumer-oriented products such as Fitbits, and why the U.S. needs an integrated federal regulatory framework to address the privacy challenges posed by private entities commercializing biometric data.

Sports wearables have evolved from mere pedometers to devices that monitor heart rate and sleep, tell athletes how to maximize recovery, and even track food intake and sexual activity – all uploaded to the cloud.

These technologies are now ubiquitous and have wide appeal to consumers – in fact, I’m wearing a Fitbit right now.

But these devices raise several key problems for consumers that are not yet being adequately addressed by the U.S. legal and regulatory system.

Employee Freedom

I begin with what will likely be the biggest impending battle over sports wearables: how employers may use them as a potential economic weapon and restrict employee freedom.

Biometric data isn’t just for personal, voluntary use anymore but is being increasingly used for employee monitoring and evaluation.

In the sports domain, companies such as WHOOP are using wearables to track individual athletes’ data – and sharing it with not only athletes but coaches and other team officials as well.

At the professional level, this has already raised some eyebrows. But professional athletes have high visibility and bargaining power through sports unions, making their use of wearables subject to collective bargaining agreement negotiations.

For example:

  • The NFL Players’ Association signed a deal with WHOOP to make it the Officially Licensed Recovery Wearable of the NFLPA and allow players to commoditize their own data
  • In their new CBA, the NBA and NBA Players’ Association agreed to terms protecting the right of individual players to decline the use of wearables at any time

This is great for pro athletes but most U.S. workers don’t have robust unions protecting them. Employers increasingly offer sports wearables as part of efforts to promote employee wellness and bring down health insurance costs. BP uses data provided by sports wearables to adjust premiums for their employees, and CVS has actually fined employees for failing to disclose health vitals such as weight and body fat percentage.[1]

And this is encouraged to a certain extent by the federal government.  In June 2013, the Department of Labor and HHS shared Affordable Care Act wellness program regulations which allowed, and in some cases mandated, that employees share personal information with their employers in the form of a health risk assessment (HRA).[2] Sports wearables have the potential to help in such efforts. Thus, employers are being incentivized to address major public health concerns – like tackling obesity among the workforce – by creating major privacy concerns.

All of this amounts to an ethical quandary.  What will happen in the future if an employee doesn’t want to share his health data or refuses to wear a Fitbit? Even athletes, whose entire jobs depend on peak physical performance, regularly balk at excessive invasions into their physicality and privacy that render them feeling like “lab rats.” How can, say, Oracle justify similar biometric data tracking for a systems analyst?

Furthermore, what happens when the person in question isn’t an employee at all?  For instance, while the NCAA constantly reiterates that collegiate players aren’t “employees” but “student-athletes,” advanced sports wearables are already being used by at least two collegiate athletic departments. The purported goal is to get athletes to make “positive” behavioral changes with “strong” encouragement to wear WHOOP.[3]  But the data could also be used to monitor every aspect of athletes’ lives and penalize them for “poor” choices such as drinking the night before a game or failing to get enough sleep.

Without better rules on who can access and handle biometric data, fears of Big Brother may shift from the government to Big Business – all under the guise of companies trying to promote “wellness”. 

Security

These issues are further compounded by questions regarding security and technological accuracy.

With sports wearables comprising 24/7 products and often paired with technologies like GPS, collected biometric data can paint a very accurate picture of a person’s habits and proclivities.

And reports show that this data is often easily hacked. This opens wearables users up to unintended access and even falsification of data, threatening harm to economic – and possibly even legal – interests.

Furthermore, we don’t know if the data produced by these devices is even accurate, or capable of being meaningfully used. No universal standard exists regarding how sports wearables operate, and a class action lawsuit has already risen alleging inaccuracies in Fitbit’s measurements. Expect questions about the viability and reliability of sports wearable technology to grow as they become more pervasive – and more central to determining, in dollars and cents, how to evaluate the health of an individual for economic purposes.

The Legal Landscape

Now that I’ve outlined some of the privacy problems surrounding sports wearables – what can Americans do?  Well, currently not much, as the United States remains an outlier by failing to have a comprehensive national policy regarding data privacy.

States appear to be leading the charge on data privacy thus far. All but two have laws in place requiring notice from private and public bodies when security breaches have leaked personally identifiable information[4].  Three states have gone further, defining what is meant by “biometric identifier”, specifying data security requirements, and limiting the period that biometric identifiers can be retained. Illinois goes furthest by creating a private right of action by which consumers can directly sue companies that misuse their biometric data.

From a consumer perspective, it’s good that the states seem to have a plan – because the federal landscape is, frankly speaking, a mess.  I’ll illustrate this by speaking about three major pieces of legislation that demonstrate how the U.S. government and its agencies are ill-equipped to deal with the future of commercialized biometric data. 

HIPAA

HIPAA’s exemption of “mHealth technologies” that include sports wearables leaves current federal regulation largely to the FTC and FCC.  While HIPAA does cover privacy and security of health information, what is covered by HIPAA can get quite parsimonious.  For instance, health information captured under a workplace wellness program isn’t protected unless it is specifically part of a group health plan.

The FTC regulates through its application of Section 5 of the FTC Act which prohibits “unfair or deceptive practices” including failure to properly disclose privacy policies or obtain authorization to disclose personal data. The FTC has also issued a general guidance regarding collection and use of biometric information, though that was primarily based on facial recognition technologies.[5]

The FCC is also getting into the regulatory space through its Connect2HealthFCC senior task force which is designed to review how broadband-enabled health solutions – including sports wearables – should be regulated. There is also growing recognition that the FCC is expanding its regulatory footprint in data privacy more generally by joining such groups as the Global Privacy Enforcement Network.[6]

In short, the FTC and FCC are using their competency in their respective domains – consumer protection and communications, respectively – to attempt to regulate in the brand-new sector of sports wearables. While their commitment may be admirable, the problem is that the U.S. is betraying a siloed history and sectoral approach to a pervasive modern problem.

What I propose is that the U.S. government take an issue-based view of the matter at hand – namely, how do we protect the American citizen from the privacy threats posed by potentially increased access to health data? – and clearly assign policy and enforcement competence and jurisdiction in this field to a single regulator at the federal level.  Not only would this eliminate the inefficiency of having multiple departments and agencies examining the same issue but it would grant the citizen a clear resource for information and for lodging complaints. 

The Rest of the World

Doing what I just mentioned isn’t crazy.  In fact, in much of the rest of the world, data privacy – a broad concept that includes biometric data – is viewed as a right.  The EU has specified that “everyone has the right to the protection of personal data concerning him or her” and that “data must be… for specified purposes”.  The EU Parliament has also outlined regulations and directives confirming the importance of consumer data privacy and clearly defining and regulating biometric data. To safeguard these principles and laws, most EU states also charge a single government agency with federal responsibility over data privacy matters, specifically including biometric data.

To the north, Canada’s Personal Information Protection and Electronics Act and Privacy Act govern how private and public sector organizations must, respectively, handle Canadians’ personal information.  A single federal regulator, the Office of the Privacy Commissioner, is tasked with investigating possible violations of both Acts.

Even Hong Kong, often called the “freest economy in the world”, has an Office of the Privacy Commissioner and a dedicated Personal Data (Privacy) Ordinance.

So What Should Happen Here?

While the U.S. doesn’t necessarily need to precisely emulate the Privacy Commissioner models of other countries, there is a need for better coordination and greater transparency – and at the very least a single body tasked with initially interfacing with the public on such matters.  This pro-citizen approach will alleviate confusion as questions about biometric data collection grows.

As is often the case, the sports world will be the testing ground for the initial stages of this battle over ownership of individual biometric data.

In the near future, expect companies who claim “anonymized” data belongs to them – and experts who contend that true anonymization is impossible. Insurers and employers will provide incentives to leagues and players to offer up their data for “research” purposes. Privacy advocates will contend that such data is personal patrimony and that athletes are giving up such information much too cheaply.

These are all worthy debates to track.  But here, at HHS and in Washington DC, I’d like to point out that such battles will soon pass from the sports and technology pages to the front page – and Americans will begin asking, as they rightly should – what is the plan and who is responsible?  It only makes sense, then, to band together and present a singular voice/agency to speak to Americans about this critical subject.

Categories: Uncategorized

Tagged as: ,

4 replies »

  1. Definitely. It’ll be interesting to see how employees react if reporting biometric data slowly becomes mandatory.

  2. Absolutely. Sports wearables as a consumer product is only the entry point for discussions about what we do with biometric data.

  3. I use Fitbit and its shocking to know about the data and security issue. It is so true what u said about Biometric data that it isn’t just for personal, voluntary use anymore but is being increasingly used for employee monitoring and evaluation.

  4. This issue will only intensify as patient wearable devices emerge as the next big medical trend. Manufacturers will wish to keep data to better update / manufacture their device while patients will not want their data disclosed.