Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

How fit is your gadget? Putting web-connected health/wellness devices through their privacy paces

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

OPC blogger, September 22, 2016 - Internet and online, Location, Other Privacy Authorities, PIPEDA, Privacy Sector Organizations, Social networking

Smart TVs . . . Fitness trackers . . . Automated thermostats . . . Self-driving cars . . .

The Internet of Things is the next frontier in digital technology which is why the Global Privacy Enforcement Network focused its 2016 Privacy Sweep on this emerging market. Sweep participants were especially interested in how companies communicate their personal information handling practices.

Given the sensitivity of the information that health and wellness devices, as well as their associated apps and web1sites, are capable of collecting, the Office of the Privacy Commissioner of Canada (OPC) focused its Sweep on 21 devices ranging from smart scales, blood pressure monitors and fitness trackers, to sleep and heart rate monitors, a smart breathalyzer and a web-connected fitness shirt.

The choice of devices dovetails with one of our four strategic privacy priorities—the body as information. Identified as an important area of focus during a priority-setting exercise that culminated in May 2015, the body as information refers to the mounting privacy concerns related to highly sensitive health, genetic and biometric information that is being used by organizations and governments in all sorts of new ways.

During the Sweep, our Sweepers—aka OPC staff—put the products to use to see first-hand what information the devices requested, compared to what privacy communications said would be collected. In some cases, they followed up with specific privacy questions for the companies.

Below is a brief assessment of how the devices stacked up.

Note: the Global Privacy Sweep is not a formal investigation. We did not seek to conclusively identify compliance issues or possible violations of privacy legislation. This was not an assessment of a device’s overall privacy practices, nor was it an in-depth analysis of device design or functionality.

We sought to recreate the user experience and for the purposes of this blog, we compared and contrasted certain features observed by our Sweepers—namely those they found particularly fit, with those they felt could benefit from some rehab. We learned a lot and hope these concrete examples will help device makers, as well as Canadians, better understand our conclusions.

We’ve also offered some takeaways for companies and consumers. The purpose is to provide some basic tips on how to improve privacy communications from a user’s perspective. These takeaways should not be viewed as legal advice or a substitute for any legal requirements under applicable privacy legislation. Organizations that would like more information on their legal obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, may wish to have a look at our Privacy Toolkit.

Location, location, location!

Why do so many devices want to know where you are at any given time? Sure, it might make sense for a fitness tracker that needs to follow your route to calculate your distance travelled. But a blood pressure monitor or thermometer?

The QardioArm blood pressure monitor seeks access to location when the user creates an account and provides the following explanation which seemed a bit odd to our Sweeper.

quardioarmxxx

Then again, it might be interesting to check whether a visit to the in-laws does indeed thrust the ticker into overdrive.

The Kinsa thermometer also gives users the option to enable location tracking and provides a couple of reasons for it.

In a follow-up email to our Sweeper, the company explained that access to location helps users find groups of other Kinsa users. Presumably to swap riveting tales of temperature readings?

The Privacy Policy also offered an interesting use for location data:

kinsaxxx

I suppose it might be nice to know if there’s a strep throat outbreak before everybody starts double dipping the guacamole at your next party.

Takeaway for companies: Besides location, users also want to know why you need to collect certain information such as full date of birth, height, weight and why you require access to such things as one’s photos and contact list. Provide the purposes for the collection up front and you’ll avoid leaving users guessing. For something as sensitive as location tracking, Sweepers were pleased that many devices gave users the option to turn it on or off.

Takeaway for consumers: Just because a device or associated app asks for data, doesn’t mean you’re required to turn it over. Many data points are optional and users should be prudent before handing over information. Make sure you understand and agree with the intended use of your personal information.

Checking out?

Had enough health tracking for one lifetime? Time to resume your position on the couch with a bag of chips? Deleting your account may not be so simple.

Despite technological advances that allow users to share data electronically with doctors and relatives, the Everlast Health blood pressure monitor relies on snail mail to fulfil requests for data deletion. Seriously?

everlastxxx

By contrast, the Jawbone UP3 wireless activity, sleep and heart rate tracker offers what appears to be a comprehensive series of instructions for deleting data, whether it’s specific readings or all personal data on the company’s servers and beyond, including that collected by its partners.

jawbone1xxx

jawbone2xxx

Unfortunately, despite all these seemingly quick click mechanisms for deleting data, our Sweeper noted his account was still active and personal information was still accessible two months later, despite following up with the company’s customer service department to confirm deletion.

Takeaway for companies: There’s no need to make things difficult for customers who wish to delete their data. As technological innovators, we are confident in your ability to come up with a simple and quick way for people to delete account information that does not require more than a few clicks of a mouse. Simplicity is a great way to build trust and credibility with your customers.

Takeaway for consumers: Know what you’re getting into before diving in. Before providing personal information, make a point of finding out what’s going to happen to it and whether you can erase it later if you so desire. If you’re not sure, contact the company for more information. Most organizations are sensitive to consumer concerns about privacy. Let them know if something doesn’t feel right. Positive changes to the general policies or practices of an organization are more likely when people speak up.

Three (or more’s) a crowd

Transactions in the online world are never black and white. From marketing, to analytics, to scientific research, behind seemingly every company you think you’re dealing with is a myriad of third parties potentially getting access to your data for one reason or another.

The QardioArm wireless blood pressure monitor offers a crystal clear explanation of who it won’t share your information with, such as advertisers and marketers, data brokers and information resellers. To our Sweeper’s delight, there’s an added caveat that nothing will be shared without the user’s express (opt-in) consent.

Meanwhile, the BACtrack Mobile breathalyzer device gives users the option to store blood-alcohol level readings and sets its default to not keep this data on file, which is great. But if you decide to create an account and keep a record of your readings, your data, including your readings as well as your location, notes, photographs, gender, weight and other data will be stored and may be shared with third parties, including the media. BACtrack warns in the printed Privacy Policy that comes with the device that “although we will not associate your name with such data, your identity may be determined by the other data available.”

Curiously, we did not find this same clause in the online version of the privacy or terms of use policies.

Takeaway for companies: Consumers want to know who their personal information is being shared with and for what purposes. Ideally, companies should provide details about what information is being shared and with whom. For example, is it being shared for marketing, research or operational purposes?

Takeaway for consumers: Read and make sure that you are comfortable with the use and sharing practices of a company you are dealing with. Remember, many companies will not only sell you a device, they may sell your data as well. Note, however, that you do not have to agree to all a company’s requests to share your data. Certain requests to disclose, such as for marketing purposes, should not necessarily be a condition for using a device. Also know that devices may connect to existing social media platforms or offer their own social media features that allow you to share data publicly. Think twice. Once information is out there, it may be impossible to get back. Think of the impact certain comments or images could have on your reputation or the reputation of others. What might seem like a good idea in the moment, might not in the days, weeks, months or years ahead.

Details please

Sweepers were certainly conscious of the sensitive nature of health data and were protective of it. While they understood that providing too much information about safeguards could compromise a company’s security, they felt some detail was important.

The Garmin Vivosmart HR fitness tracker monitor offers users a pretty detailed explanation of its security controls under the heading “Keeping Data Safe at Garmin” and encourages users to report any security or vulnerability issues they might encounter.

The company also explained its use of encryption, but our Sweeper was left wondering whether it only applied to financial data and if health information is also encrypted.

garminxxx

Meanwhile, the Fitbit Charge HR fitness tracker offered a single vague line about safeguards in its privacy policy and invited users to contact the company for details:

fitnitxxx

A follow-up email to the company yielded a slightly more detailed explanation that included some information about its use of encryption, but it mostly just “rest assured” us that its products were “designed with security in mind.”

Takeaway for companies: Sweepers noted a number of vague statements about the use of safeguards, with organizations reassuring users that their information is safe. Ensure you have the necessary robust safeguards in place, commensurate with the sensitivity of the personal information you have collected.

Takeaway for consumers: If, after reading about what safeguards a company has employed to protect your personal information, things still aren’t clear or you have questions, ask. If you believe your data has been compromised, raise your concerns with the company. If you are not satisfied with the results, you have a right to file a formal complaint about organizations subject to PIPEDA with our Office.

Get to the point

Ever purchase a product only to wonder whether the company realizes they’ve provided the wrong privacy communications? Generic privacy policies that read as though they were written for another product are frustrating and unhelpful. But it doesn’t have to be this way.

The Razer Nabu fitness tracker provides a great example of just-in-time notification—a practice that provides valuable information to users about how their data is going to be used at the very moment they are asked to provide it.

nabuxxx

The iMazeFitness HR strap, on the other hand, offered a link to a privacy policy that seemed completely unrelated to the device or company in question. On top of that, after our Sweepers were desperately looking for some form of relevant privacy communications for iMaze, they were disappointed to find a placeholder inserted at the bottom of a profile page that said: “insert customer data privacy clause here.” How embarrassing!

imazexxx

Takeaway for companies: Privacy communications that are specific to the device in question are far more useful than generic policies that will simply leave your customers scratching their heads. Just-in-time notifications provided on the device at the moment data is sought is a best practice worth considering. Finally, do your due diligence. Generic templates and unfilled placeholders are embarrassing and do little to engender trust and credibility with customers.

Takeaway for consumers: If the privacy communications do not match your experience using the product, let the company know. As mentioned before, companies tend to be responsive to consumers when they express concerns about privacy. A testament to this statement is the fact that 19 of the 21 companies we wrote to with follow-up questions got back to us in a timely fashion. We were satisfied with the responses from two-thirds of them. It’s a start!

Date modified: