Health-tracking bracelets and privacy issues

Éloïse Gratton December 20, 2014

Health-tracking bracelets are growing in popularity and many industry players have introduced these types of devices and apps in the last few years. We can think of the Apple Watch and Healthkit as well as the Fitbit App. Personal fitness bracelets can track users’ steps and calories burned and collect information on health, heart rate, and sleep.

Gartner’s recent study suggests that Smart clothing with advanced sensors is also expected to gain popularity by 2015-2016. These wearables may have the ability to track an individual’s heart rate, workout regimens, and even take photos and videos. These devices and wearables may therefore also have the capability of collecting geolocation information (photos of running routes, etc.)

What are the privacy concerns with these types of self-tracking devices?

Disclosing sensitive information

These self-tracking devices are collecting information pertaining to health and lifestyle (and potentially location), and may therefore reveal sensitive information in cases of privacy breaches. For example, it was reported in 2011 that Fitbit accidentally shared users’ sexual activity online. Using the App, a user can keep track of his/her exercise manually (including sexual activity) ranging from “passive, light effort” to “active and vigorous”. Someone noticed that the self-trackers the company catered to were disclosing their sexual activity statistics online. Because the company had historically made users’ profiles and activity “public” by default (to encourage social sharing and competitiveness), some Fitbit users may not have realized this. Fitbit has, since then, updated the default settings for activity sharing for new users to “private”.

Making available health data to third parties

It was recently suggested that, without adequate protections, users’ health information obtained via these self-trackers could be sold to insurers, mortgage lenders, or employers.

In Canada, our data protection laws would prohibit companies from selling personal information to third-parties, such as insurance companies or employers, without the users’ prior consent. A challenge is that the tracking device’s terms of use agreement and privacy policy could disclose the data sharing with third parties, in which case users could be said to have agreed to such sharing of their information. Still, given that health information is considered as sensitive information, users will usually expect to be adequately informed of the sharing and “opt-in” to such sharing.

Companies could still use and share health data that has been de-identified, or upon obtaining explicit consumer consent.

Using health information as evidence in a litigation

Can health information collected by these self-tracking devices be used as evidence in a litigation? These health devices may collect photos and track health and lifestyle information which may be recoverable in litigation if the evidence is relevant to the case at hand.

The information may be willingly turned over by a plaintiff following an accident in order to prove its detrimental affects. For instance, it was recently reported in the news that a Canadian law firm will use information from a Fitbit fitness tracker for the first time in court as an objective measure of activity. The information will be provided by the plaintiff, in a personal injury lawsuit, in an attempt to demonstrate life-affecting reduced activity post injury. The information is being willingly provided by the plaintiff and processed by data company Vivametrica, which collects data from wearables and compares it with the activity and health of the general population.

The information collected via these self-tracking devices could be subpoenaed by courts if relevant for a case: an employer attempting to demonstrate the location of its employee at a given time and date, an insurer attempting to demonstrate the physical health of an insured before or following an insurance claim, etc.

If the information is collected by a third party, in situations in which the user has an expectation of privacy, the information may be more difficult to use as evidence, at least in some jurisdictions. For instance, in Quebec, the Civil Code prohibits the use of any evidence obtained under such circumstances that fundamental rights and freedoms are violated and whose use would tend to bring the administration of justice into disrepute (s. 2858). This could be the case, for instance, if the user has installed privacy settings to limit the sharing of its information, and these settings were circumvented by an employer or insurance company to access the information.

Requiring an individual to be tracked via the bracelet

Third parties, such as insurance companies or employers, could require that employees, insured or claimants undergo assessment via fitness tracker. For instance, insurance companies could offer better premiums to individuals that agree to be tracked, similar to what we have seen with car-tracking devices which have sparked privacy concerns. Organizations could also decide to provide their employees with fitness trackers in order to potentially reduce its corporate plan insurance premiums.

These type of activities would have to comply with Canadian data protection and human rights laws. As a general principle, under such laws, consent is generally required before collecting and using personal information (these type of activities would therefore be prohibited if the information is collected without the knowledge of the individual) and an organization cannot collect or use information which is not “necessary”. This means that personal information collected and used has to be directly linked to (and relevant for) the employees’ position (if collected by an employer) or to evaluate the insured’s risk or claim (if collected by an insurance company).

Some jurisdictions may also prohibit the tracking of individuals without their prior consent. For example, under s. 43 of the Quebec An Act to establish a legal framework for information, a person may not be required to be connected to a device that allows the person’s whereabouts to be known unless authorized by law, either for health protection or public security reasons.

While these self-tracking devices may create new opportunities and benefits, they may also trigger privacy concerns. The more information is collected, the greater the risk is that this information be inadvertently exposed or used by unauthorized third parties.

Health-tracking bracelet privacy

This content has been updated on December 20, 2014 at 17 h 53 min.

Éloïse Gratton

Privacy & Data Protection Law

Health-tracking bracelets and privacy issues

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet