Exercising Privacy: Policy Options for Privacy and Wellness Wearables

Citation

  • Dharamshi, A., Lipsey, A. (2022). Exercising Privacy: Policy Options for Privacy and Wellness Wearables. Canadian Standards Association, Toronto, ON.

Executive Summary

Wellness wearables are playing a growing role in the lives of Canadians. Manufacturers of these devices and their associated apps are promising a future world of enhanced well-being by enabling users to keep track of and take action on their health and wellness goals.

However, wellness wearables are distinct from other emerging technologies in that they directly connect to the body, generating a high volume of health-related information. They are also of increasing interest to stakeholders beyond consumers and are being applied in contexts where there are power asymmetries and potential misuses. Employers have been incorporating wellness wearables at work, making monitoring more intrusive and continuous. Insurers have also been keen to leverage the real-time data that these devices can generate about policyholders.

Despite these unique aspects of wellness wearables, there has been limited policy development in this area. Instead, these types of devices occupy a regulatory grey area. As neither medical devices nor low-stakes consumer products, wellness wearables are generally excluded from medical regulations and health privacy laws, and they are not sufficiently provided for under consumer privacy laws. Policymakers urgently need to collaborate with industry and civil society to address this gap and implement effective interventions for privacy. If left unaddressed, this will have profound implications as next generation wellness wearables establish even deeper connections to the body, with greater implications for privacy.

This report seeks to contribute to policy development by increasing understanding of privacy challenges and considerations for wellness wearables. It does so by focusing in on three main areas of risk: information risks, consent risks, and rights risks. These issues are then explored further through two use cases where the application of wellness wearables is growing and poses potential harms: workplace and insurance contexts.

Table E1: Summary of the privacy challenges of wellness wearables

Information risks Consent risks Right risks
Continuous and sensitive information collection Limited awareness and understanding Facilitation of bias and discrimination
Data inferences and re-identification Poor policies and consent practices Compromising security and safety
Weak cybersecurity practices Data sharing and secondary uses Restriction of autonomy and contextual decision-making

The report also identifies several recommended action areas where government has the opportunity to implement interventions that address the privacy challenges of wellness wearables. As presented in Table 1, some recommendations target modernizing privacy protections for these devices and their applications in workplaces and insurance. Others focus on helping businesses adopt best privacy practices and on enabling consumers to make privacy choices. While these recommendations cannot eliminate all potential harms wellness wearables pose, they represent important steps to exercising privacy in this arena.

Table E2: Summary of recommended action areas to promote privacy

Modernizing privacy protections Helping businesses bolster privacy Promoting informed user choices
Create protections for consumer health-related information Create standards and guidance for best practices Require enhanced notice and consent mechanisms
Enhance and extend privacy protections to all employees Change how businesses relate to regulators Encourage certification and labelling
Limit the use of wellness wearable data in insurance Develop a pipeline of privacy professionals Promote digital literacy


Summary for Policymakers

Download the Summary for Policymakers