FPF Releases Best Practices for Consumer Wearables and Wellness Apps and Devices

The Future of Privacy Forum (FPF) announced yesterday the release of its Best Practices for Consumer Wearables and Wellness Apps and Devices, a detailed set of guidelines that responsible companies can follow to ensure they provide practical privacy protections for consumer-generated health and wellness data.

I have been following these guidelines very closely over the last few months and even provided some Canadian perspective on earlier drafts. These Best Practices incorporate input from a wide range of stakeholders including companies, advocates, and regulators. They are useful for companies engaged in designing and deploying these technologies, and they are also timely.

A new FPF Mobile Apps Study which was also released this month underscores the necessity of strong best practices for health and wellness data. This Study reveals that while the number of Apps that provide privacy policies continues its upward trend (from the FPF previous 2011 and 2012 surveys), health and fitness Apps that may access sensitive personal information (such as physiological data collected by sensors on a mobile phone, wearable, or other device), don’t always have a privacy policy and actually do worse than average at being transparent about their privacy practices.

The FPF Best Practices call for restrictions on data sharing, enhanced notices, and informed consent for research. On the issue of providing consumer choices, these Best Practices recommend:

  • an opt-in consent for sharing data with third parties;
  • a ban on sharing with data brokers, information resellers, and ad networks;
  • an opt-out consent for tailored first-party advertisements;
  • access, correction, and deletion rights; and
  • enhanced notice and express consent for incompatible secondary uses.

In Canada, consumer wearables and wellness Apps and devices providers are subject to PIPEDA (and substantially similar provincial laws). The Office of the Privacy Commissioner of Canada (OPC), the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British-Columbia had jointly released a guidance document in 2012 entitled Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps. While this document provides some guidance for mobile app developers, it is not specifically addressing consumer wearables and wellness Apps and devices concerns. The OPC (Research Group) also published in 2014 a research report on Wearable Computing – Challenges and opportunities for privacy protection which provides design considerations for wearable computing devices. More recently, the OPC funded a project pertaining to wearable technologies in the workplace (2016-2017 program), so more guidance pertaining to wearables and privacy should be released in the near future.

PIPEDA provides much flexibility on the form of consent sought by an organization which depends upon the circumstances, the sensitivity of the information, as well as the “reasonable expectations” of the individual. Policy guidance on enhancing transparency and obtaining valid consent is therefore increasingly important with new technologies. These FPF Best Practices provide valuable guidance on how to deal with some of the consent issues when designing and deploying consumer wearables or wellness technologies. They are also making recommendations for privacy practices that support interoperability with global privacy frameworks and leading app platform standards.

This content has been updated on August 18, 2016 at 20 h 22 min.