The Latest on Wearable Electronics and Data Privacy

The issue of data privacy is not a new one, and it has only continued to gain attention with the growing use of online technology between devices and applications. Th ese devices and apps have the ability to collect and share personal information on every increasing level.

In 2013, Target confirmed that credit and debit card information from 40 million customers had been stolen, and then later admitted that other information from 70 million people had been exposed. The result: Target paid $18.5 million to 47 states and the District of Columbia as part of a settlement with state attorneys general. Since this occurred, state legislatures have taken on consumer privacy as an issue of concern. Now, one may be asking how this relates to the use of wearable technologies. To understand the complexity of this issue, it is important to first define wearable technologies, take a look at the personal information collected, and the status of consumer privacy laws and their impact on these technologies.

Wearable Technologies and Data Collection

Wearables are defined as electronic devices that are worn by a person, usually close to the skin, that relay medical, biological, and exercise data to a database. The global wearable technology market size was estimated at $40.65 billion in 2020, and is expected to reach $47.89 billion this year.1 Wearables have made the Internet of Things (IoT) industry a behemoth.

Fitbits and Apple Watches are the most recognized forms of this technology. Wearables are most associated with the health and fitness market space. Fitness trackers, such as running apps, have become part of people’s daily routines. In addition to health data, these devices collect an array of personal information not usually thought of, such as buying habits and geographic information.

While gaming wearables are a growing market for this technology, it is also expected that the use of IoT in fashion and clothing will only increase. Additionally, the use of IoT in athletic wear tracks athletes and their movements, as well as health data.

A person’s morning exercise routine might include signing onto his or her favorite running or workout app to gain access to his or her workout routine. When signing up to use these apps, people are agreeing to allow the company to collect information on the time and duration of the workout; distance; location; calorie count; pace/stride; physical characteristics entered, including height and weight; images, photos, and videos taken; gender; hometown; date of birth; and credit card information. Essentially, any information that is entered to use the application and buy a product is captured through a company’s data system.

Also of note is the use of “cookies.” When people visit a website, they’ll see this common pop-up for them to accept the cookies for that site. These cookies collect information on people’s browsing habits so companies can understand their preferences.

After this quick look at the data collected through a variety of wearable technologies, it’s time to examine data privacy legislative issues. It must be clearly stated that there is no federal law that prevents the sale of most fitness-related information collected to third parties. This information is not covered by the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA. The collection of medical information by health care providers through this technology is different. Adriane Harrison, PRINTING United Alliance’s VP of human resources consulting, says, “HIPAA applies to covered entities, such as health care providers, and their business associates, such as employers. If the data gathered by the wearable technology is not collected by a health care provider, then it does not qualify as protected health information, and will not be protected by HIPAA. For instance, a person wearing a heart monitor that was provided by a doctor to check heart performance is HIPAA-protected health information. Conversely, if that same person is wearing a personal Fitbit that monitors heart rate data and other information, the Fitbit data is not HIPAA-protected health information.”

Status and Future of Data Privacy Laws

At this point, one may be thinking great information, but how does this impact producers of wearable technologies? Just like any other regulatory or legislative initiative impacting a printing business’s product line, that business needs to be aware of the landscape of these laws as it moves forward in the development of this technology. It is important to follow these issues so businesses can be assured that the products they are producing align with state programs. Yes, at this time, all these data privacy issues are focused on the state level, and the legislative programs have a laser beam on consumers, use of consumer data, and the right for consumers to deny collection of the data. And that ultimately impacts a producers’ product lines. Furthermore, it is important to note that these state privacy laws are often implemented by the state’s attorney general office.

This year, 38 states introduced more than 160 consumer privacy-related bills. The most common type introduced focused on comprehensive privacy issues, defined as broadly regulating collection, use, and disclosure of personal data, and providing a definitive set of consumer rights regarding the data collection. This includes the consumer’s ability to request access and deletion of any data collected. Overall, 17 states enacted data privacy laws in 2021. Two states, Colorado and Virginia, opted to pass comprehensive legislation similar to California.

There are key trends included in all state laws. All adopted legislation applies to any business producing, selling, or targeting to sell to residents in the identified state. Included across the board in all adopted bills is the consumer’s ability to opt out or request their information be deleted. There is also the requirement that all businesses post an extensive privacy policy on their websites. Here’s a look at what several key states have implemented.

As with environmental regulatory programs, California leads the way with the California Consumer Privacy Act of 2018. First enacted in 2018, it was recently amended in 2020 with further expansions that will go into effect Jan. 1, 2023. The amendments established the California Privacy Protection Agency’s ability to enforce and implement consumer privacy laws, as well as impose fines. Further, the new amendments prohibit businesses’ retention of personal data for longer than necessary, to be set in the regulations.

Also effective in July 2023 is Colorado’s Privacy Act (CPA). Similar to California, this new law applies to anyone conducting business or producing commercial products or services that are targeted to Colorado residents. The new legislation provides the state’s attorney general with the authority to promulgate rules for the purpose of carrying out the CPA. The attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms, and has the discretion to adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses.

The commonwealth of Virginia is the third state to adopt a comprehensive data privacy legislative program. Similar to the aforementioned states, Virginia’s new law, once again effective in 2023, establishes a framework for controlling and processing personal data. Again, all companies conducting business in Virginia, whether located there or not, must adhere to the new provisions, and the attorney general has been given exclusive authority to enforce violations. An interesting provision is the requirement for the Joint Commission on Technology and Science to have established a workgroup to review the provisions of the new Act, including implementation issues, and issue a report last month.

Increased Use, Increased Legislation

It is apparent from research and studies that wearable technology use will only increase and grow. As consumers demand more sophisticated items, they have come to rely on the use of smartphones; fitness apps and trackers; health apps; etc. on a daily basis. One can also see the growing concern on the part of the consumer regarding collection and use of personal data. If the trend continues, 2022 will be another active year for data privacy legislation, both comprehensively as well as regarding those efforts that might target a specific industry group, such as information brokers.

Companies engaged in the production of this technology must be aware of these trends and develop effective engagement strategies with their customer base. As with any regulatory or legislative program, producers of this technology should track and understand how these new laws and regulations will impact their operation.

Reference
1 “Wearable Technology Market Size, Share & Trends Analysis Report By Product (Wrist-Wear, Eye-Wear & Head-Wear, Foot-Wear, Neck-Wear, Body-wear), By Application, By Region, And Segment Forecasts, 2021-2028.” Grand View Research, Oct. 2021.

Marcia Kinter is the VP, government and regulatory affairs for PRINTING United Alliance. She oversees the development of management resources for the association and represents the printing industry, as well as its associated supplier base, before federal and state regulatory agencies and the U.S. Congress on environmental, safety, and other government issues directly impacting the industry.

For more information on how the PRINTING United Alliance government and regulatory affairs team, and other staff subject matter experts, can assist you as a member, contact the membership team at 888-385-3588/membership@printing.org.