Google, Fitbit, and the Sale of Our Private Health Data

On November 1, 2019, Google’s Senior Vice President of Devices and Services Rick Osterloh announced in a blog post that Google had entered into an agreement to acquire Fitbit, Inc. This move signaled Google’s efforts to become a leading company in the $25 billion wearables market after failing to make a splash with its own line of Wear OS products. However, many current Fitbit customers and privacy watchdogs are concerned over the implications the sale will have on the privacy of the health data that Fitbit collects. The current lack of legal protection over health data collected by wearable technology and the inherent value of consumer data to Google’s business model presents a problematic combination that could see an erosion of consumer privacy.

The primary legal structure governing the use of personal health information (“PHI”) is the Health Insurance Portability & Accountability Act of 1996, commonly referred to as HIPAA. The purpose of HIPPA is to mandate industry-wide standards for health care information and require the protection and confidential handling of PHI. Over the past two decades, the framework HIPAA established has become central to the protection of PHI and has held healthcare providers accountable in instances where PHI has been exposed.

Yet the rise in wearable technology and its functionality in recent years has exposed a gap in HIPAA protection. As the law is written, HIPAA does not apply to health data collected by wearable health technology. This is because HIPAA only governs organizations considered to be “covered entities,” which the law states as either a health plan, a health care clearinghouse, a health care provider, or health care. Fitbit, as an organization that only collects health data for its customers’ own use (e.g. tracking step count for the user to view) and not to provide health care services, does not qualify as a covered entity. As a non-covered entity, Fitbit is not required to abide by the HIPAA-mandated regulations for the protection of PHI even though the nature of the information it collects (e.g. name, address, phone identification number, height, weight, heart rate, etc.) qualifies as PHI as defined by HIPAA. Thus, users are left to rely upon Fitbit’s self-published privacy policy and the notion that the company will not breach or change that policy for the protection of their sensitive information.

Fitbit currently collects data from its 28 million active users, and even showed off the power of its data last year by showcasing trends it gleaned from 150 billion hours of heart data, the largest set of heart-rate data ever collected. This type of large-scale data collection and use falls perfectly in line with Google’s own business practices in recent years. According to a 2018 report, Google is one of the largest collectors of personal data—even collecting more than Facebook. Google uses its hardware, websites, and applications to actively and passively collect as much data on its users as possible. The Associated Press found that even when users disabled the “location history” feature in several Google websites and applications, Google was still collecting and storing users’ locations.

This data has become one of Google’s most valuable assets. Data is the driving force behind Google’s ability to effectively deliver ads, which accounted for 83.75% of its 2019 Q3 revenue. Google’s ad revenue has also increased year-over-year from $21 billion in 2008 to $116 billion in 2018. A company whose primary source of revenue is the use of data for targeted ads will gain unfettered access to one of the largest health data sets in the world. This is why, although Fitbit and Google both stated that Fitbit data would not be used in Google ads, many critics are skeptical of Google’s intentions.

Google is poised to control vast amounts of our personal data and can use it from targeted ads (e.g. ads for running shorts based upon increased running activity) to conducting beneficial or agenda-driven medical research. However the data is used, Google is gaining increased access to our most sensitive and personal information, not protected by HIPAA, while remaining a company whose main goal is not public health. This lack of legal protection over PHI data collected by wearable technology—and the immense value of data to Google’s business model—present clear privacy concerns for consumers that will only continue until action is taken to expand HIPAA in order to effectively protect all PHI.