Wearable Device Data Privacy: What Your Fitness Tracker Knows & May be Sharing

Your smartwatch knows your resting heart rate. Your fitness tracker logs your sleep cycles. Your glucose monitor shares data with an app on your phone. Millions of Americans now wear devices that collect extraordinarily intimate health information around the clock, but most users have no idea where that data goes after it leaves their wrist.

The legal framework governing wearable health devices and biometric data privacy is still catching up to the technology. But that does not mean consumers are without rights. Laws like the Illinois Biometric Information Privacy Act (BIPA) and the California Consumer Privacy Act (CCPA) are giving individuals real tools to hold companies accountable when their most personal data is mishandled, sold, or exposed. If you have ever worn a fitness tracker, smartwatch, continuous glucose monitor, or any health-sensing wearable, this article explains what you can do if those rights have been violated.

What Data Do Wearables Actually Collect?

Modern wearable devices go far beyond step counts. The data harvested by these platforms increasingly falls into the category of biometric data — unique physical or behavioral characteristics that identify an individual. This can include heart rate and cardiac rhythms, blood oxygen saturation, sleep staging and duration, skin temperature fluctuations, electrodermal activity and stress indicators, menstrual cycle tracking, and ECG readings.

Increasingly, however, legal scholars and litigants are arguing that health metrics captured continuously over time can function as biometric identifiers because they form a biological fingerprint unique to each user. Courts are actively working through these questions, and the stakes are high.

Real Lawsuits: When Wearable Data Privacy Goes Wrong

Litigation involving wearable devices and health data is accelerating. Several high-profile cases illustrate where legal exposure is developing and what consumers have at stake.

• Fitbit User Data Privacy Litigation: A multidistrict class action filed in the Northern District of California alleged that Fitbit collected sensitive health metrics — including heart rate data and sleep information — and shared that data with third parties without adequate user consent. Plaintiffs argued that Fitbit’s privacy disclosures were vague and that the data-sharing arrangements with advertisers and research partners went far beyond what a reasonable consumer would expect when strapping on a fitness tracker.
• Whoop Biometric Data Class Action: Whoop, the fitness wearable company popular among athletes, faced a class action lawsuit alleging that its platform collected biometric data from Illinois residents without complying with BIPA’s consent and policy requirements.
• Google and Fitbit Acquisition — FTC Scrutiny: When Google acquired Fitbit for approximately $2.1 billion, federal regulators at the FTC and European competition authorities raised alarms about what Google intended to do with Fitbit’s trove of biometric and health data on tens of millions of users.
• Apple Health App Data Breach Claims: Apple’s Health app, which aggregates data from the Apple Watch and third-party fitness apps, has faced litigation and regulatory inquiries in multiple jurisdictions over allegations that health data was accessible to third-party developers and advertisers without users’ meaningful knowledge or consent.

Why Wearable Health Data Exposure Is Especially Dangerous

Health and biometric data is not like a leaked email address. Once your biometric profile exists in the wild, it cannot be changed. You can get a new password. You cannot get new fingerprints. You cannot change your unique cardiac signature. The permanence of biometric data makes its exposure categorically more harmful than most other privacy violations.

Health data collected by wearables can be used by insurers, employers, and data brokers in ways that may affect your coverage, employment, or creditworthiness. Sleep disorder data could affect life insurance underwriting. Cardiac irregularity data, if exposed, could make you a target for health insurance discrimination.

Concerned Your Wearable Data Privacy Rights Have Been Violated? Contact The Lyon Firm today for a free, confidential case evaluation. Our attorneys handle BIPA claims and health data privacy cases nationwide.

The FTC Steps In: Federal Enforcement Sets New Precedent

The Federal Trade Commission has signaled clearly that health data collected by consumer apps and wearable-adjacent platforms is not beyond its reach — even when HIPAA does not apply. In 2023, the FTC took action against GoodRx, a health technology company, for sharing users’ sensitive prescription and health data with Facebook, Google, and other advertising platforms without authorization.

Similarly, the FTC pursued BetterHelp, an online therapy platform, for disclosing users’ mental health data to Facebook and Snapchat for advertising retargeting. BetterHelp agreed to a $7.8 million settlement.

The FTC’s enforcement trajectory suggests that companies collecting biometric and health data through wearables face growing federal scrutiny — and that the legal risk is no longer confined to state-level statutes like BIPA.

Children’s Wearables: Elevated Legal Risks and COPPA Exposure

A growing segment of the wearable market targets children and fitness trackers, GPS-enabled smartwatches, and health monitors are marketed to parents for monitoring their kids’ activity, location, and vitals. The Children’s Online Privacy Protection Act (COPPA) prohibits the collection of personal information from children under 13 without verifiable parental consent, and the FTC has consistently interpreted this to include location data, biometric identifiers, and health information.

In 2018, the FTC brought an action against VTech Holdings after a data breach exposed personal information of millions of children, including voice recordings and photos collected through connected devices. The case resulted in a $650,000 civil penalty.

Parents who purchased wearable devices for their children and later discovered that the platform was collecting, retaining, or sharing biometric or location data without adequate COPPA-compliant consent may have viable claims. Given that children’s biometric data carries the same permanence risks as adult data — and that children cannot meaningfully consent to its collection — courts and regulators treat violations in this space with particular seriousness. If your child’s health or location data has been collected without your informed consent, contact The Lyon Firm to discuss your legal options.

Data Brokers and the Hidden Market for Your Health Data

Most wearable device users understand that their data goes to the app on their phone. Far fewer understand where it goes next. A sprawling and largely unregulated data broker industry purchases, aggregates, and resells health-adjacent data derived from consumer devices. These brokers compile detailed profiles that can include inferred health conditions, activity patterns, sleep disorders, stress levels, and reproductive health data — all derived from wearable sensor readings that users believed were private.

If you have reason to believe your wearable health data was sold to third parties or data brokers without your meaningful consent, you may have a claim under BIPA, the CCPA/CPRA, or federal consumer protection law. An attorney experienced in health data privacy can evaluate the specific facts of your situation and advise on the best path forward.

Frequently Asked Questions: Wearable Device Data Privacy

1. Can I sue a wearable company for collecting my biometric data without consent? Yes, in many circumstances. If you are an Illinois resident and a company collected your biometric identifiers or biometric information — including data that functions as a biometric identifier — without obtaining your written consent, providing a public retention policy, or without a legitimate purpose, you may have a private right of action under BIPA.
2. Is health data from my Apple Watch or Fitbit protected by HIPAA? Generally, no. HIPAA protects health information held or transmitted by covered entities, which are defined as healthcare providers, health plans, and healthcare clearinghouses, along with their business associates. Consumer wearable companies like Apple, Fitbit, and Garmin do not typically qualify as HIPAA-covered entities when operating their consumer fitness products.
3. What should I do if I think my wearable device data was sold or shared without my knowledge? Start by requesting a copy of all data the company holds about you — most companies are legally required to honor this request under California law, and many comply voluntarily. Most importantly, consult with a data privacy attorney promptly. The Lyon Firm offers free consultations and can evaluate your situation quickly to determine whether you have an actionable claim.
4. Do I need to be part of a class action, or can I file an individual claim? Both options may be available to you, and the right path depends on the specifics of your case. Class actions allow large groups of similarly situated individuals to pool their claims against a single defendant, which can be powerful when individual damages are modest but widespread harm occurred. An experienced data privacy attorney can advise you on which approach best serves your interests and circumstances.

What You Can Do If Your Wearable Data Privacy Has Been Compromised

If you believe a wearable device company has collected, shared, sold, or mishandled your biometric or health data without your informed consent, you may have legal options available to you. First, document everything — preserve your account information, privacy settings, and any communications from the company. Request a copy of your data from the company and review what has been collected and with whom it has been shared. Then consult with an attorney experienced in biometric privacy and health data law before the statute of limitations runs.

Why Choose The Lyon Firm for Your Health Data Privacy Case?

The Lyon Firm has built a national reputation representing individuals and classes of consumers in complex data privacy litigation, including biometric privacy cases under BIPA and health data privacy claims. When corporations collect your most sensitive biological data for profit without your knowledge or consent, The Lyon Firm fights to hold them accountable.

Whether you are pursuing an individual BIPA claim, joining a class action, or exploring your options after a data breach involving health information, The Lyon Firm has the experience and commitment to see your case through.

Take Action Today. If a wearable device company collected your biometric or health data without your knowledge or consent, you may be entitled to significant statutory damages. The Lyon Firm offers free consultations and handles BIPA and health data privacy cases on a contingency basis — no fee unless you win. Call us or submit your information online to speak with an attorney about your rights.