Follow ZDNET: Add us as a favorite resource on Google.
Highlights taken by ZDNET
- Wearable owners need to understand how their data is handled.
- The US has no federal laws regarding consumer health data.
- Consumers should manage their data properly and review privacy policies.
Our modern watches and smart rings go beyond counting steps, they constantly collect data on our fitness, sleep, fertility, and much more, and upload it to the app. (Remember the days when we were told not to share any information online? How surprising.) But this widespread acceptance raises new questions about data privacy, security, and your rights — because who owns all that health data, you or the company collecting it?
The more data we collect, the greater the risk that our information will be compromised by a breach, or that companies may sell that data to third parties for advertising, insurance profiling, or other purposes you may not even know you’re entering.
“People have been cautious over the years when it comes to the types of sensitive data, but increasingly they are finding greater importance in accessing and using that information,” Jules Polonetsky, CEO of the Future of Privacy Forum, a non-profit organization focused on consumer data protection, told ZDNET. “The bad thing is that the residents are giving themselves time to think about where, when, and how they should take any safety measures.”
More than 20 states have now passed comprehensive data privacy laws, which generally give consumers the right to access, delete, and opt out of the sale of their personal information. However, they vary from state to state, and without federal regulation, what remains is a patchwork quilt of requirements.
Meanwhile, more than 560 million people worldwide now own smartwatches — including more than 1 in 4 Americans, according to Statista. “Consumers are increasingly interested in downloading, accessing, and using their health data to improve their health, or manage their family’s health records, but they must be proactive to understand whether or not they are protected based on their situation,” said Polonetsky. “The first thing we need is a federal privacy law, which includes at least the minimum protection of health data outside of HIPAA.”
Also: How I used Airtable to change my daily routine of fast food and 5-minute meal planning
Contrary to popular belief, HIPAA (or the Health Insurance Portability and Accountability Act, passed in 1996) does not cover data collected by wearables, which are not considered covered entities, unlike health care providers.
That means it often falls to you as the consumer to decide how to protect yourself and your data.
Who can you trust?
In the absence of federal laws, “what governs the use and protection, collection and sharing of your personal data and health data in all these cases are the terms of service and privacy policies,” Caitlin Fennessy, vice president and chief information officer of the nonprofit IAPP, told ZDNET. Those terms of service are designed to comply with legal requirements and the company’s data processing practices.
A 2025 analysis published in the peer-reviewed journal npj Digital Medicine examined the privacy policies of 17 leading wearables manufacturers, using a rubric of 24 criteria across transparency, data collection purposes, data reduction, user control and rights, third-party data sharing, data security, and breach notification.
Also: Wearables are generating massive amounts of health data — and doctors are struggling to keep up
Based on that rubric, Google, Apple, and Polar had the lowest risk scores (since, of course, they had the strongest privacy protections for consumers), and Xiaomi, Wyze, and Huawei had the highest risk scores.
“Our findings highlight inconsistencies in data management across the industry and underscore the need for strong, industry-specific privacy standards,” the paper notes.
Privacy-conscious people often decide which wearables to buy based on how much they trust the manufacturer in general, rather than checking the privacy policy, Fennessey said. For example, if you’re in the Apple ecosystem and you’re happy with the way they handle your data, you may have chosen the Apple Watch over another brand. Some of this comes down to how these companies market their secret offerings.
Wanting to be transparent
Companies with a strong focus on privacy and security will often provide clear, well-distributed information about how data is handled, such as whether it resides on the device versus in the cloud, whether it’s encrypted at the edge, and whether it’s shared with third parties.
“A lot of times organizations that are trying to build their brand and reputation around the privacy of these wearables will have those high points of information out in the open and publicly, so there’s a layer of quick due diligence that you can do when looking at these wearables that doesn’t require you to read formal terms of service and privacy policies,” Fennessey said.
Also: The biggest dangers lurking within your home DNA and health screenings
On the other hand, if you don’t see this information out there clearly, these are probably not features they prioritize, he added — so proceed with caution.
Another important consideration: How does this company actually make money?
“If you’re paying a lot of money for a watch or a ring and a premium service, they have a lot of incentive to keep you happy,” Polonetsky said. “If it’s free, you really want to look closely and understand where and how someone is giving you a free service. If it’s not a charity or a HIPAA-compliant medical provider, somewhere there’s a way to make money, and maybe your data.”
In other words, if it’s a free service or a very cheap device, your data is probably a commodity. That may mean it’s sold to third parties or advertisers whose views and results you don’t want to know about your life.
Protective measures
Regardless of manufacturers’ promises of privacy and reputation, there are a few practical steps you can take to protect the data collected on your smartwatch or smart ring:
- Read the privacy policy (or at least ask the chatbot for a summary, or search for the word “data” to get specifics about where your information is going). Look for those clear, public-facing messages about privacy and data security from companies when you buy wearables.
- If you have a smart watch or smart ring that you no longer use, delete your data from it. You don’t want data sitting there unused in case the company breaks the line.
- Check where your phone and wearables are connected. Both Apple and Google will show you what services you’re connected to, and you should check them every once in a while. For example, sometimes a piece of exercise equipment at your gym can connect to your smartwatch. You can use the feature, and then forget about it. But your watch may still be sharing information with that treadmill.
- If you are using an AI chatbot to analyze your health data collected by wearables and you do not want them to train with your data, make sure you have checked your settings and changed the option to use your data for training, or that you are using a temporary chat. (It’s also best practice not to upload any documents with personally identifiable information — be sure to redact or anonymize everything first.)
“Telling people not to ‘share sensitive information,’ which was good advice years ago, doesn’t hold up anymore,” Polonetsky said. “People are finding incredible value in being able to analyze their health records. Now it’s about understanding who you’re sharing it with, and whether or not you’re using an enterprise service to monetize your data.”
