Steps, gait, heart rate, travel patterns, even sexual activity — wearables track, collect and share massive amounts of data. Over the last decade and a half, fitness and activity trackers have evolved from step counters to lifestyle devices able to pair with smart mattresses, smart kitchen appliances and other smart devices. In 2022, the global wearable technology market was estimated at $138 billion and forecast to grow at a compound annual growth rate of 13.6 percent, per a Precedence Research report.
New Year’s resolutions always contribute to this growth. Every January, people purchase the latest in wearable tech — this year, smart rings, shoes and bands are hot — hoping these devices will help them get fit or manage their macros. Or your company’s health plan may incentivize use of a step counter or diet tracker to help lower insurance rates. While incentives provide motivation, at the same time, consumers are increasingly demanding transparency about how the data that wearables collect will be used — as well as the consequences for companies who misuse this data.
In response, many states have passed data privacy laws, each with its own nuances. Parts of the Texas Data Privacy and Security Act (TDPSA), signed by Gov. Greg Abbott on June 18, 2023, will go into effect later this year, with additional compliance requirements coming online in 2025. In addition, several other states, including Washington, have passed specific laws that will affect Texas businesses. Data collection is universal — it doesn’t stop at the Rio Grande.
New State Laws
When it comes to wearables, companies must know what consumer data they use, where it comes from, where and how long it’s stored and who gets to use it — and who doesn’t. The issue often is that the company itself does not know these basic data-flow details for this data, much less articulating this to consumers. Texas companies need to answer these questions to build out company data maps, which will help identify the risks associated with the data a company uses, in addition to meeting requirements for new state privacy laws.
In the U.S., privacy, security and other data protection laws and regulations have proliferated since 2018: California, Colorado, Connecticut, Utah and Virginia have active omnibus privacy laws governing the collection of consumer data, and at least 10 other states have passed privacy legislation within the past year, with New Hampshire and New Jersey leading the way for more in 2024. There are laws specific to collecting biometric data in Illinois, Texas and Washington; health data in Washington, Connecticut and likely Vermont; children’s data in Arkansas, California, Connecticut, Florida, Louisiana, Texas and Utah; and educational data in Minnesota. The U.S. also has federal laws specific to the use-case of the data type, including protected healthcare data, online collection of children’s data, financial information and educational data.
The TDPSA draws heavily on the Virginia Consumer Data Protection Act and provides Texas consumers general privacy rights, including to:
- Confirm if a controller is processing personal data,
- Correct inaccuracies in personal data,
- Delete personal data provided by or obtained about the consumer,
- Obtain a copy of personal data provided to a controller by the consumer, and
- Opt out of the processing of data when the purpose is for targeted advertising, profiling of creating significant consequence to the consumer, or the sale of that personal data.
The Texas privacy law, while very similar to others, is in other regards very broad, applying to nearly anyone who conducts business in Texas and processes Texans’ personal data. There are hooks in the Texas law that make it more comprehensive in parts than even California’s law, the venerable California Consumer Protection Act. In Texas, controllers must delete basically all data on a consumer, not just what is collected directly from the consumer. And while Texas small businesses are exempt from the law, if the small business sells sensitive data, that exemption does not apply.
The TDPSA goes into effect on July 1, which will be here fast. Businesses have until Jan. 1, 2025, to comply with the universal opt-out mechanism, or the “Global Privacy Control,” which allows customers to set privacy preferences once, delivering a “do not sell” message to each site making a data request.
It’s worth noting that even in states that do not yet have data privacy laws, consumers are pursuing protections on their own terms. For example, even though California is the only state that currently extends privacy protections to employees, that caveat hasn’t stopped employees in other states from suing an employer after their personal data was accessed in a data breach.
Cybersecurity Audit
Last year, telecom providers, small towns, hospital systems and K-12 schools all fell victim to cyberattacks. Online criminals have become increasingly sophisticated, using ransomware and phishing tools to access and lock up entire networks. According to IBM’s 2023 report on cybercrime, the average cost of a data breach is now $4.45 million, with higher costs projected for breaches in healthcare. As an industry, healthcare has been hard hit: Since 2020, healthcare data breach costs have increased by 53.3 percent.
Highly publicized data breaches have heightened consumer concerns about wearable tech, particularly as it relates to health and fitness data. This makes companies in the wearables game a prime target for bad actors. The disruption in development, operations and sales occurring from the breach — as well as from regulatory investigations — can be incredibly destructive to morale and momentum. Business priorities often end up taking a back seat to discovery requests and calls with counsel, derailing sprints and release dates, and affecting employee turnover.
Conducting a meaningful, granular audit of security vulnerabilities is of the highest importance, not only for security but for productivity. An assessment by a cybersecurity expert can identify gaps and vulnerabilities that can be mitigated and closed off one by one. Although this requires an investment of time and resources, it’s usually much less costly than a data breach. Remember, breaches degrade brand confidence — and consumers leave brands they cannot trust.
Consumer Expectations
Consumers want notice and choice. They want privacy notices that quickly, simply and accurately explain what data is being collected from or about them, where it comes from, when it is collected, who has it, how long it is kept and, possibly most importantly, how their data is used. Companies have and continue to use data to target consumers for other products or services the company believes might be of interest. Such “ad tracking” has for years been losing favor with consumers and regulators, with increased concern around use of “dark patterns” to subvert or even impair user decision-making. Many of the new state privacy laws, and certainly Federal Trade Commission enforcement, seek to eliminate the use of dark patterns, providing consumers with more notice and choice.
With new laws reshaping how and when companies notify users about the collection and use of personal data, companies are developing privacy policies that are better designed, interactive and user-friendly. There has been an uptick in the implementation of tools, such as preference centers and “do not sell my data” options, that allow consumers to opt out of secondary uses of data inconsistent with their expectations of proper data use.
Whether your company makes wearables, designs apps or sells data, it’s important to be aware of the risks. Each year brings new, exciting wearable tech to market. Now that privacy laws are starting to catch up, it’s time to make sure that compliance is up to date.
Jenifer McIntosh is of counsel at Stinson LLP. She can be reached at jenifer.mcintosh@stinson.com.