Biometric Data: Don’t Get Third-Partied!

Biometric Data: Don’t Get Third-Partied!
By Kayla Wopschall | February 23, 2022

In 2020, Pew Research estimated that one in five Americans regularly uses a Fitness Tracker, putting the market at $36.34 billion dollars. Then you have Health Applications, where you can connect your trackers and get personalized insights into your health, progress towards goals, and general fitness.

With so much personal data held on one little application on your phone or computer, it is easy to feel like it is kept personal. But the Fitness Tracker and Health Applications have your data and it is critically important to understand what you’ve agreed to when you quickly click that “Accept User Agreement” button when setting up your account.

Biometric Data – How Personal Is it?

Fitness Trackers collect an incredible amount of Biometric Data that reveals very personal information about your health, behaviors, and even exact GPS coordinates with timestamps. From this, it is easily possible to analyze someone’s health, lifestyle, and patterns of movement in space… in fact, many Health Applications that read in your Fitness Tracker data are designed to do just that. Provide you patterns of your behavior, allow you to share things like bike routes with friends, and evaluate ways for you to improve your health.

But what do the companies do with this data? It can feel like it is used just for you and your fitness goals, the service that they’re providing… in reality, this data is used for much more. And may be provided to third-parties… in other words, other companies you have not directly consented to.

What is required in a Privacy Policy?

In 2004, the State of California was the first to implement a law, the California Online Privacy Protection Act, or CalOPPA for short, requiring that a Privacy Policy be posted and easily accessible online for all commercial organizations. Because of the nuances of organizations typically doing state business with individuals, the policies apply to all California residents and visitors.

CalOPPA highlights the following basic goals for organizations that collect personally identifying information (PII):

1. Readability – they should use common and understandable language in an easy to understand format.
2. Do Not Track – should contain a clear statement about how/if the device/app tracks you online, and state clearly whether other parties may be collecting PII while you use their service.
3. Data Use and Sharing – Explain the use of your PII, and when possible provide links to the third parties with who your PII is shared with.
4. Individual Choice and Action – Make it clear what choices you as a user has regarding the collection, use, and sharing of PII.
5. Accountability – Have a clear point of contact if you as a user have question or concerns regarding privacy policies and practices.

The implementation of CalOPPA has greatly improved the accessibility and understandability of Privacy policies. However, improvements are needed for third-party data sharing.

Privacy Policies should have a clear explanation of how, if, and when data is shared or sold to a third-party (e.g. another company). There are some protections in place that require companies to aggregate (combine) data and make it anonymous so that any individual can not be identified from the data shared. However, this can be extremely difficult to achieve in practice.

For example, if a third-party purchases data from a health application or fitness tracker, which does not contain personal identifying information like a name or address, the same third-party could then purchase the missing data from a food delivery service that does, making it easy to determine identity.

It is overwhelming to think of all the ways biometric data can travel throughout the web and how it might be used to market, discriminate, and/or monitor individuals.

The first step to keeping data safe is understanding the policies you’ve opted into regarding third-party sharing. Decide if this is a policy you feel comfortable with, and if not, take steps to request the removal of your data from the platform. You do have the right to both fully understand how companies use your data and make more informed choices when clicking that Accept User Agreement button.