By: Dominique Kelly
State laws governing biometric data are not common in the United States, as there are only three states that currently employ such laws: Illinois, Washington, and Texas. As it stands, biometric data in the United States are not governed by federal guidelines, but are instead governed by contracts that users must usually agree to in order to utilize most devices (think: terms and conditions longer than a Supreme Court opinion standing between you and using your new smartphone). We may not be aware of the biometric data collection features surrounding our daily lives, but some common features such as fingerprint scanners or facial recognition to unlock phones, voice prints collected in the presence of our good friend ‘Alexa,’ or even retinal scans at a country’s borders. However, there is one important category of biometric data we may be quick to forget about: health data. Fitness tracker brands such as Fitbit, Garmin, Fossil, or even popular smart watches by Samsung, Apple, and other electronic brands, contain features which can track steps, heart rate, sleep cycles, trail locations, and menstrual cycles amongst other things. While this data may be harmless, users should still have a right to control this type of biometric information although they may have agreed to use the device to track the information.
What could be the harm in collecting health related biometric data? Consider this: your employer offers you discounts on a new fitness tracking device in an effort to boost morale, promote fitness, and use friendly competition to enhance comradery. You do not want to miss out, so you purchase a great fitness tracker and your employer begins offering incentives for taking steps to pursue and/or maintain a healthy lifestyle. Your new fitness tracker arrives and you immediately take it out of the box and slap it right on your wrist and begin set up. You enter basic information, such as age, weight, cycle dates, etc. and the tracker begins, you guessed it: tracking. Now this tracker has obtained more information than you would be willing to give on a first date, in a matter of a few minutes. Not only is your tracker now tracking your steps, heart rate, and cycle, but you’ve also been tracking your weight, your exercise regimens, the running path you were just on for the past 30 minutes, and your caloric and water intake. Before you know it, you’re seeing ads on Instagram for the newest exercise machine, sponsored NIKE ads are attempting to sell you new running shoes, and Amazon is suggesting you purchase sanitary products around the beginning of your cycle.
Generally, individuals who buy health trackers don’t believe the information that is being tracked will be used by other entities for monetary gain. But in this age of increasing sponsored advertisements on social media platforms based on seemingly unrelated searches completed on search engines, should we have expected our health-related biometric data to be commercialized? There is a push for states to regulate privacy protections of biometric data as there is no federal body currently governing this type of data. Amidst the new acquisition of Fitbit by Google, lawmakers have begun preparing bills in an effort to protect consumer health data. One bill that has been created is the Smartwatch Data Act or the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act. Conveniently defined, the purpose of this proposed Act is to protect identifiable biometric data (sleep, health, exercise data, etc.) that would likely be tracked by fitness trackers created by Fitbit, Garmin, and other brands. This bill would ideally treat these types of biometric data as protected health information and require the enforcement of violations as any other HIPAA (Health Information Portability and Accountability Act) violation. The bill would also stop entities collecting this biometric data on personal fitness trackers from transferring, selling, or sharing said data.
Currently, HIPAA does not protect this type of personal information because HIPAA regulations currently only applies to health plans, health care clearinghouses, and any health care provider transmitting health information electronically. Since entities who create fitness trackers do not fall under a health plan, health care provider, or clearinghouse, they do not have to submit themselves to HIPAA guidelines. Thus, if those advocating for more protection of health related biometric data cannot successfully bring this protection under HIPAA guidelines, then perhaps an alternative is to encourage each state to create general biometric information protection laws. For example, the Illinois Biometric Information Privacy Act gives individuals the right to control their biometric information by requiring notice before collecting the data and giving the individuals the power to withhold consent. Another law governing collection and use of biometric data can be found in Washington state. This Act requires entities that collect biometric data (including health related biometric data) to disclose the way the information would be used and provide notice and obtain consent from the individual before the data is used. Much like the Illinois Act, only the Washington state attorney general has the ability to enforce the act preventing consumers from being able to sue companies when there is a violation. Texas is the third state that has enacted laws regulating the use and collection of biometric data. The Act requires only that any employer using biometric identifiers must destroy those identifiers within a reasonable time from the date the purpose for collecting the data expires. So, for example, if the data was collected for security purposes, then the expiration date of the purpose would be the date the employee no longer works with the employer.
In turning back to the biometric health data collected by fitness trackers, the state laws that are enacted in Illinois, Washington, and Texas may not provide the protection necessary to prevent the unlawful or unwanted use of consumer health data. The Illinois Act may be the closest law available to protect health data until bills and laws such as the Smartwatch Data Act, that include HIPAA or HIPAA related protection, become widespread in each state. Until then, we should continue to be aware of how our sleep, heart rate, exercise regimen, water intake data, etc. are used. In the meantime, grab a cup of tea and enjoy those long ‘terms and conditions’ agreements.
Sources:
In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016).
Fitbit, Inc. v. AliphCom, No. 15-cv-04073-EJD, 2017 U.S. Dist. LEXIS 12657 (N.D. Cal. Jan. 27, 2017).
Chelsea Cirruzzo, Cassidy, Rosen Introduce Consumer Privacy Bill Amid Google Scrutiny, InsideHealthPolicy(Nov. 14, 2019, 7:02 PM), https://insidehealthpolicy.com/daily-news/cassidy-rosen-introduce-consumer-privacy-bill-amid-google-scrutiny.
Jerry Lynn Ward, Texas Biometric Privacy Law restricts certain “biometric identifiers.” Only three states have laws regulating the collection and storage of Biometric data., GarloWard, P.C. (Mar. 26, 2018), https://www.garloward.com/2018/03/26/texas-biometric-privacy-law-restricts-certain-biometric-identifiers-three-states-laws-regulating-collection-storage-biometric-data/.
U.S. Dep’t of Health and Human Servs., Summary of the HIPAA Privacy Rule (2003).
Justin Lee, Washington’s new biometrics law softer on privacy protections than Illinois BIPA, BiometricUpdate.com(July 24, 2017), https://www.biometricupdate.com/201707/washingtons-new-biometrics-law-softer-on-privacy-protections-than-illinois-bipa.