Fitbit Surge

The Consumer Electronics Association (CEA), which puts on the massive CES event in Las Vegas every January, just published a set of voluntary guidelines for how technology companies should approach privacy and security for personal wellness data collected by wearable devices and other connected wellness devices.

The CEA said the guidelines represent a consensus among its member companies, which include Apple, Google, Fitbit, Qualcomm, and Under Armor, and about 2,000 others. The CEA was quick to point out that the wellness data the guidelines focus on is personally identifiable data, and what companies do with de-identified data is not a focus of these particular guidelines. They were crafted with the objective of obtaining and maintaining consumer trust in the companies that offer devices and services that collect personal wellness data.

Here's a quick rundown of the principles: 

Security: "A company should secure personal wellness data by deploying measures that are reasonable and proportional to the sensitivity of that data, taking into account that consumers generally have heightened expectations of security with respect to personal wellness data."

Privacy Policy: "A company should have a clear and easily understood written policy for collecting, storing, using, and transferring personal wellness data...  Companies are encouraged to provide these summaries in creative formats and through accessible methods that facilitate rapid learning, such as graphics, icons, charts, video, or audio."

Transfers to Unaffiliated Third Parties: "A company should obtain affirmative consent before transferring personal wellness data to an unaffiliated third party, unless otherwise required by law or the company discloses in its privacy policy circumstances, such as emergencies, in which notice is sufficient."

Fairness: "A company should not knowingly use or disclose personal wellness data in ways that are likely to be unjust or prejudicial to consumers’ eligibility for, or access to, employment, healthcare, financial products or services, credit, housing or insurance."

Enable Personal Review, Edits, Deletion: "A company should provide a user with a means to review and correct the company’s stored personal wellness data if the company intends to share it with a third party that will determine the user’s eligibility for, or access to, employment, healthcare, financial products or services, credit, housing or insurance." The guidelines also suggest an option to delete the data if a user so desires.

Advertisements opt-out: "A company that tailors advertising based on users’ personal wellness
data should provide users with the ability to opt out of such advertising."

Law enforcement: "A company’s privacy policy should describe how it responds to requests for users’ personal wellness data from federal, state, local, or foreign law and civil enforcement agencies."

One question that came up on the media briefing about the new guidelines was around personal wellness data transfer in the event one company is acquired by another. Fitbit's privacy policy, for example, offers that up as a possibility: "We may disclose or transfer your [personally identifiable information (PII)] in connection with the sale, merger, bankruptcy, sale of assets or reorganization of our company. We will notify you if a different company will receive your PII and the promises in this Privacy Policy will apply to your data as transferred to the new entity."

CEA officials chose not to respond to that particular question, but it could be an important one if a company with one of the larger data sets of personal wellness data is acquired by, say, a health insurance company. Whether or not such a deal would lead to the feared consequences, if the wrong kind of unaffiliated third party all of the sudden becomes an affiliated one, it might make obtaining and maintaining consumers' trust difficult for all companies collecting wellness data.