Your Fitbit Might be Walking You into Trouble | Cassandra Voices

Your Fitbit Might be Walking You into Trouble


In the previous edition of Cassandra Voices Eoin Tierney explored the extent to which data is routinely harvested in a variety of ways, some of which we cannot easily control. This extends to hardware used to measure one’s fitness.

Fitbit, a company producing a famous activity tracker, is no exception. Data gleaned from these devices, usually worn like watches, has even been accepted as evidence in criminal trials in the United States. While in certain contexts such application renders numerous advantages, in the wrong hands there are obvious risks to the kind of information amassed by Fitbit being in circulation.

With the General Data Protection Regulation (GDPR) entering into force last month, organisations all over the globe are reconsidering their data protection approaches and, as a result, updating their privacy policies. The brand-new Fitbit Privacy Policy, last updated on April 23rd 2018, can be found on the Fitbit’s official website.

Like most privacy policies, its main objective is to align the company’s data privacy policies with the requirements of the GDPR. In particular, it lays down the scope of data routinely collected by Fitbit devices which includes a customer’s name, email address, phone number, payment details and geographic location, period of time for which such data is retained, and more..

All these provisions are worth noting down for anyone who uses or intends to use Fitbit devices. One category that is essential for the Fitbit operations, but should have a red flag attached to it in the context of the GDPR, is the health-related and biometric data.

In particular, Fitbit routinely collects your ‘logs for food, weight, sleep, water or female health tracking’, as well as other details that may furnish a vivid picture of any user’s behavioural patterns.

Article 9 of the GDPR places data concerning health and biometric data within the special categories of personal data, processing of which is restricted to ten instances only. These, include, among others, explicit consent, public interest consideration and performance of obligations in the area of employment and social security.

Article 9.4 goes further, creating wide leeway for member states to legislate in this area – something that should have Fitbit on its guard for legislative developments in the countries where it operates.

This being said, Fitbit’s Privacy Policy does acknowledge the extent of sensitive personal data gathered by its watches and commits to obtain a separate consent from its users for related processing. It also expressly reserves the right to ‘preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request’.

This is a typical provision found in most privacy policies. The GDPR itself expressly allows the disclosure of personal data following a mandatory legal requirement.

However, in case of Fitbit it took an unexpected turn in a recent Wisconsin murder trial, when a judge allowed step-tracking data, generated by Fitbit, as evidence to prove the defendant was not capable of committing a murder, as the device proved he had been sleeping at that time.

In another instance, Fitbit logs were used by Connecticut police, this time to charge Richard Dabate for murdering his wife. The man concocted a fictional story to cover the murder, but his wife’s Fitbit brought the truth to the surface, revealing inconsistencies in Dabate’s version of events.

Yet another example of Fitbit usage that clearly goes beyond what a fitness bracelet was intended for is the partnership that insurance companies are entering into with Fitbit.

In particular, individuals are offered the option of a type of coverage that involves wearing a tracking device and sharing the data it collects with the insurance provider. On the one hand, such development will help insurance companies to stay up to date with the health condition of their customers and, if the need be, provide necessary assistance in case of an accident.

At the same time, it effectively offers a full overview of a person’s life, including information about biorhythms, habits, and lifestyle quirks, that may later be utilized by insurance providers for purposes contrary to the interest of insurees, for example, by denying them insurance coverage, or raising their premium.


The aforementioned cases illustrate how modern technologies may be utilized in ways that an average user would never expect when purchasing a devise. This may bring benefits, while in other instances it shares intimate information about its owner which could be their detriment.

The purposes for which public authorities and external companies are using Fitbit-generated data remain contentious. Clearly, it turns out deceptively-guiltless fitness-tracking-gadgets turn out to amass unprecedented amounts of personal data.

Arguably this tendency will only increase in future, with companies seeking more and more personal data to enhance and customise their products and services, in order to remain competitive in the modern market of accelerated technological development.

For now, the least a regular user should do is to stay up to date with his or her rights under existing data protection legislation; as well as developing a clear picture of what personal data, and for which purposes, is being processed, and used, by manufacturers.

All of these questions should be addressed in the privacy policy of any company in question, and these are usually available on a company’s website.

So next time, before blithely hitting the ‘I accept’ button in a privacy notice pop-up while configuring your Fitbit device, make sure you genuinely do not mind that sensitive and, otherwise, confidential, information about you is being collected, analysed, stored and even shared externally for purposes that go far beyond keeping you fit.


About Author

Comments are closed.