Exercising Privacy: Policy Options for Privacy and Wellness Wearables
Citation
Executive Summary
Wellness wearables are playing a growing role in the lives of Canadians. Manufacturers of these devices and their associated apps are promising a future world of enhanced well-being by enabling users to keep track of and take action on their health and wellness goals.
However, wellness wearables are distinct from other emerging technologies in that they directly connect to the body, generating a high volume of health-related information. They are also of increasing interest to stakeholders beyond consumers and are being applied in contexts where there are power asymmetries and potential misuses. Employers have been incorporating wellness wearables at work, making monitoring more intrusive and continuous. Insurers have also been keen to leverage the real-time data that these devices can generate about policyholders.
Despite these unique aspects of wellness wearables, there has been limited policy development in this area. Instead, these types of devices occupy a regulatory grey area. As neither medical devices nor low-stakes consumer products, wellness wearables are generally excluded from medical regulations and health privacy laws, and they are not sufficiently provided for under consumer privacy laws. Policymakers urgently need to collaborate with industry and civil society to address this gap and implement effective interventions for privacy. If left unaddressed, this will have profound implications as next generation wellness wearables establish even deeper connections to the body, with greater implications for privacy.
This report seeks to contribute to policy development by increasing understanding of privacy challenges and considerations for wellness wearables. It does so by focusing in on three main areas of risk: information risks, consent risks, and rights risks. These issues are then explored further through two use cases where the application of wellness wearables is growing and poses potential harms: workplace and insurance contexts.
Table E1: Summary of the privacy challenges of wellness wearables
| Information risks | Consent risks | Right risks |
|---|---|---|
| Continuous and sensitive information collection | Limited awareness and understanding | Facilitation of bias and discrimination |
| Data inferences and re-identification | Poor policies and consent practices | Compromising security and safety |
| Weak cybersecurity practices | Data sharing and secondary uses | Restriction of autonomy and contextual decision-making |
The report also identifies several recommended action areas where government has the opportunity to implement interventions that address the privacy challenges of wellness wearables. As presented in Table 1, some recommendations target modernizing privacy protections for these devices and their applications in workplaces and insurance. Others focus on helping businesses adopt best privacy practices and on enabling consumers to make privacy choices. While these recommendations cannot eliminate all potential harms wellness wearables pose, they represent important steps to exercising privacy in this arena.
Table E2: Summary of recommended action areas to promote privacy
| Modernizing privacy protections | Helping businesses bolster privacy | Promoting informed user choices |
|---|---|---|
| Create protections for consumer health-related information | Create standards and guidance for best practices | Require enhanced notice and consent mechanisms |
| Enhance and extend privacy protections to all employees | Change how businesses relate to regulators | Encourage certification and labelling |
| Limit the use of wellness wearable data in insurance | Develop a pipeline of privacy professionals | Promote digital literacy |
Authors
- Alannah Dharamshi, Springboard Policy
- Adrienne Lipsey, Springboard Policy
Project Advisory Panel
- Brenda McPhail, Canadian Civil Liberties Association
- Christopher Parsons, Citizen Lab
- Debra Mackinnon, University of Windsor
- Joe Masoodi, Ryerson Leadership Lab
- Laura Fadrique, Communitech
- Matthew Johnson, MediaSmarts
- Teresa Scassa, University of Ottawa
- Valerie Steeves, University of Ottawa
- Vass Bednar, McMaster University
- Victoria Hailey, Victoria Hailey Group Corporation
- Hélène Vaillancourt, CSA Group
- Tania Donovska, CSA Group (Project Manager)
Acknowledgements
The authors would like to thank Samantha Coronel for her excellent research assistance. The authors are also grateful to the research interviewees for sharing their expertise and the members of the project Advisory Panel for their input and strategic advice.
Financial Support
This CSA Group research report was prepared with generous financial support from the Office of the Privacy Commissioner of Canada’s Contributions Program.
Disclaimer
This work has been produced by Springboard Policy and is owned by Canadian Standards Association. It is designed to provide general information in regards to the subject matter covered. The views expressed in this publication are those of the authors and interviewees. Springboard Policy and Canadian Standards Association are not responsible for any loss or damage which might occur as a result of your reliance or use of the content in this publication.
Copyright
2022 Canadian Standards Association. All Rights Reserved.
