As people are turning to health tracking devices and apps for understanding, tracking, and treating their health more than ever, current U.S. law has not evolved to protect this sensitive data. Despite this, Health and Human Services Secretary Robert F. Kennedy Jr. wants all Americans wearing health tracking devices by 2033, claiming it will improve health monitoring and detect disease earlier.
Wearables are any device worn by individuals to track health and activities. To function, these devices (e.g., smartwatches, fitness trackers) are connected to apps to allow a user to review their data. In addition, users can manually input data into apps. While wearable devices and their connected apps are already common in the U.S. and other countries, the scale of Kennedy’s plan raises serious data privacy and security concerns around how health data from these devices is collected, stored, and shared on their connected apps.
Many U.S. users are under the mistaken impression that health information collected through health tracking apps is protected by U.S. privacy laws. However, the main federal health privacy law, the Health Insurance Portability and Accountability Act (HIPAA), covers only health care providers, insurers, and their business partners. Commercial health apps fall outside HIPAA’s protection, which means they can legally collect and share user data ranging from daily steps to blood pressure to mental health diagnoses.
Without a national privacy law in place, it is unclear who controls and can use sensitive consumer data entered into these apps either manually or through a wearable device. For example, BetterHelp, a mental health and therapy app, was fined $7.8 million by the Federal Trade Commission (FTC) after it was found to have shared users’ sensitive mental health data with third-party advertising platforms, including Facebook and Snapchat. The FTC alleged BetterHelp violated §5 of the FTC Act for deceptive practices because the company assured customers their data would not be shared with third parties and conversations would be kept private.
In the European Union, the same platforms are held to stricter standards under the General Data Protection Regulation (GDPR). The GDPR, which many regard as unduly rigid, nonetheless holds organizations responsible for handling data, including requiring them to meet a lawful basis for processing data and being held accountable when not meeting these standards. For example, Fitbit, a widely used health tracking app connected to Google wearable devices, but is usable without a device, must receive explicit consent from users before processing health data.
U.S. law and regulatory policy have not been meaningfully updated to account for the rise of artificial intelligence and digital health technology. In 2021, Senator Jacky Rosen (D-Nev.) and Senator Bill Cassidy (R-La.) introduced the SMARTWATCH Data Act. The aim was to ensure health data collected by wearables through their connected apps would be protected under similar standards that apply to traditional health data. But the bill did not advance past committee.
Congress needs to create a federal framework to enforce data privacy before RFK Jr. moves forward with a national wearable initiative. Although the FTC has taken action against individual companies, fines on large companies are typically viewed as a slap on the wrist. Consumers need a new federal law to stop companies from collecting and selling data once wearable apps are downloaded. Wearables and their connected apps offer real benefits, such as early detection and long-term tracking of chronic conditions; however, privacy, consent, and data transparency must come first.
Without updated data laws, Americans will continue to be vulnerable to the misuse of their health data. Data such as fertility, heart rate, and sleep patterns will become a valuable, sellable commercial product to companies. This kind of mass data collection risks creating a system that prioritizes profit over user safety. The Trump administration should not pile more risk on consumers by failing to protect the privacy and security of health tracking devices and apps.
