Wearable Technology, Biometrics, and Your Privacy: Finding the Line Between Marketing Data and Medical Data

Biometric and wearable technology is a huge new trend right now. From fitness trackers to “smart” clothes to fingerprint authentication, companies are building up their IP portfolios with patents and trademarks for new wearable technologies. Wearables were also a big topic of conversation at the Consumer Electronics Show and SXSW Interactive (the tech portion of the ever-growing SXSW festival.)

This increasing segment of gadgets does everything from tracking your fitness to tracking your baby’s sleeping patterns to tracking your glucose levels if you suffer from diabetes. With all of this tracking going on, we are faced with a trade-off. How much information do we give away to the proprietors of these technologies and what are the benefits?

This has become an area of increasing concern and the Federal Trade Commission even held a seminar recently to discuss just this issue. The FTC is the government entity most associated with consumer privacy rights, and this meeting laid out a lot of issues that will only become more important as new wearable technology enters the market.

What kind of data is at issue, and where is it going?

Biometric data is any measurable or quantifiable data relating to the body. During the FTC presentation, Jared Ho, an attorney in the FTC’s Mobile Technology Unit, mentions that fitness apps collect “everything from running routes, to eating habits, to sleeping patterns, the symptom searches, and even the stride or cadence of a person’s walk or run.” While fitness apps are probably the best-selling wearable technology to date, companies are looking to create “smart” clothing, jewelry, headbands, glasses, and contacts (and even diapers) all of which help track and regulate how the body is functioning. Thus, all of this new technology is collecting data on our most personal bodily functions.

While wearable technology seems to be a new commodity, the spread of data is not. We often do not know all of the places our data can end up. One key take away from the FTC presentation is to watch out for ad-supported apps versus other payment models. Ads are often targeted based on the data collected, thus it is more beneficial to the app makers and more likely that ad-supported apps are selling your biometric data.

What laws are in place to protect against the spread of data?

The privacy-related legal infrastructure in the U.S. is considered a “sectoral” infrastructure where different types of data and data collected for different reasons are subject to different laws. In particular, the U.S. has instated stricter laws for health information including the Health Insurance Portability and Accountability Act (HIPAA). (As opposed to Europe, which is working towards an omnibus privacy infrastructure). While there is room for discussion as to which approach is better, I only want to note that the U.S., in taking the sectoral approach, has specifically indicated that health privacy is an area of strong concern and has instated stricter laws in the area of health privacy. Additionally, states like California have taken steps to protect health information under laws like HITECH, which both helps medical offices adopt electronic records and governs how to keep the information safe.

Anyone who has dealt with HIPAA, knows it if often hard to discern when it applies and to what data. Joy Pritts, Chief Privacy Officer of the Office of the National Coordinator for Health Information Technology (ONC) mentioned in the FTC presentation that it is easy to know you are covered by HIPAA when you sign a notice at your doctor’s office. However, it becomes a gray area the further attenuated the data becomes from the doctor’s office. She explained, “if a lawyer is performing a service on behalf of a doctor, for example, then they must also follow the HIPAA rules for privacy and security. On the other hand, if a lawyer subpoenas those documents for another purpose, it’s not protected by HIPAA.”

Wearable technology alone almost certainly does not fall under HIPAA. However, it is probably the same data, if not more robust health information than that which your doctor has. As new wearables develop though, it is possible that wearable medical devices may be considered business associates covered by HIPAA.

The Trade-Off

We trade data for convenience and/or discounts all the time. From grocery club cards to Facebook posts, giving away data for marketing purposes is nothing new. So when your fitness app tracks your sleeping patterns and sells that information to a company marketing a sleep aid, it shouldn’t be too surprising. However, if that same data is collected and sent to your medical professional, this may be a new frontier.

On the one hand, it seems like a win-win if people can use technology to become more healthy and share their information in order to help other people with similar conditions. In fact, a study by Consumer Reports showed that 90% of people were willing to share health data in order to improve the care of others like them. Additionally, John Wilbanks, a Health IT expert, argues that the creation of a giant pool of health data may give researches insight into problems they couldn’t explore on a micro level.

One thing is for sure. Wearable technology is putting a significant amount new health data into the hands of individuals and if we, as individuals, are paying attention to that data, we going to have to make a lot more new health decisions ourselves.