U.S. Senator Charlces Schumer (D-New York) expressed the privacy threat to consumers by fitness apps that collect and share consumers' sensitive fitness and health data with third parties -- without notice nor consent. In an August 10th news conference and press release, the Senator expressed concerns about the privacy threats the privacy concerns:
"... personal health and fitness data – so rich that an individual can be identified by their gait – is being gathered and stored by fitness bracelets like ‘FitBit’ and others like it, and can potentially be sold to third parties, like employers, insurance providers and other companies, without the users’ knowledge or consent. Schumer said that this creates a privacy nightmare, given that these fitness trackers gather highly personal information on steps per day, sleep patterns, calories burned, and GPS locations. Users often input private health information like blood pressure, weight and more...."
While the Senator believes that fitness apps are an effective and helpful technology for better health, the privacy concerns are compounded by the fact that:
"There are currently no federal protections to prevent those developers from then selling that data to a third party without the wearer’s consent. Schumer therefore urged the Federal Trade Commission (FTC) to push for fitness device and app companies to provide a clear and obvious opportunity to “opt-out” before any personal health data is provided to third parties, who could discriminate against the user based on that sensitive and private health information."
A March 3, 2014 blog post explored the massive data collection by Facebook via several fitness apps. The Senator's privacy concerns are valid since we already know that at least one credit reporting agency wants access to consumers' data collected by Facebook and other social networking services. News organizations have widely reported about several problems in the credit reporting industry: failures to fix errors in the reports they sell, data breaches, and settlement agreements about alleged improper list sales.
"What Data May be Shared With Third Parties?
First and foremost: We don’t sell any data that could identify you. We only share data about you when it is necessary to provide our services, when the data is de-identified and aggregated, or when you direct us to share it."
Ways your sensitive data with Fitbit might be shared:
"Other Ways You Might Share Your Data
Default Visibility Settings -- The privacy settings on new Fitbit accounts are set to reveal minimal data about you with the purpose of getting you active and involved with Fitbit...
Fitbit Social Tools -- Fitbit provides many ways for you to share data with other Fitbit users, such as with the 7-day Leaderboard, Challenges, or by posting comments to the Fitbit community message boards. When you interact with others in these ways, you will be displaying your data based upon the visibility settings in your User Account privacy settings...
Community Posts -- To post to Fitbit community message boards, you’ll be asked to create a community username that’s separate from your Fitbit username. This community username will be posted next to any comments you publish on community message boards. Other information, like a profile photo that you’ve added to your Fitbit account may also be visible on message boards, depending on your Fitbit account settings.
Second, Fitbit does not honor Do Not Track browser settings:
"Although we would like to honor the browsers set with a “Do Not Track” signal, we are currently unable to honor those signals. We believe that consumers should exercise choice regarding the collection of this type of data, which is why we disclose the cookies used and provide links to opt-out of those collection practices below."
So, the burden is on the consumer to pay close attention. This brings us to my third observation: the policy does not offer a global opt-out of all data sharing, which Senator Schumer called for. A global opt-out mechanism would make it easy for consumers to ensure that no sensitive health and fitness data is shared with third parties. Instead, the burden is on users to wade through every program, site feature, and mobile app feature and its corresponding rules or policies.
Fourth, the Fitbit policy doesn't indicate what is stored in cloud services; on computers hosted by third party companies. My March 3, 2014 blog post explored the privacy policies of other fitness apps, and some of them mention cloud services. To be informed shoppers, consumers must think about this in the context of the specific mobile platform (e.g., Apple iOS, Android,, etc.). Whatever is transmitted through your mobile device potentially could be shared with the manufacturers of that device, its operating system, and the telephone company.
What are your opinions about the privacy of fitness apps?