CDT/Fitbit Privacy Best Practices 'Good Marker,' but More Guidelines Seen Looming
Industry representatives welcomed recent privacy best practices recommendations from the Center for Democracy and Technology and Fitbit, but said they address only a portion of a diverse, complex and rapidly changing consumer wearable sector where technology and consumer expectations are continually evolving. They said many companies view privacy and security as key. The report focused on giving internal research and development teams best practices (see 1606100029). Morgan Reed, executive director of ACT|The App Association, said in an interview that the report is "good marker for industry, but it's clearly not final." He said there are many more issues to consider, such as getting consent from consumers and form factor.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"There’s still an enormous struggle right now in the industry to figure out how do we responsibly collect and provide personal health information that your physicians can use, that your nurses can use in a way that leads to a better patient outcome," said Reed. "So you’re really seeing the transition from wearable that merely counts steps to a wearable that really integrates your health." He said there are "tendrils" of that in what Fitbit is doing, Apple's announcement of CareKit, an open-source software framework aimed at developing medical-care apps, and statements from other companies such as Under Armour and Nokia.
Alex Reynolds, CTA regulatory affairs director, said wearable manufacturers and other health providers are showing "strong interest" in developing and reinforcing privacy and security guidelines and incorporating them. "You have industry leaders like Fitbit out there and using that as a competitive differentiator, in some cases, but I think that there is an overall appreciation among members in the industry that this is important," he said. Fitbit has one kind of product for one kind of consumer, but the general space of health and fitness is "gigantic," said Reynolds. With a huge spectrum of devices in the market, they won't all have the same kind of privacy and security protections nor do they collect the same kind of data or serve a particularly critical or sensitive function, he said.
Reed said wearable companies don't want to do any "sneaky stuff" with data collected from consumers. But he said there's a lot of confusion about how to share data and with whom for analytics. "How am I engaging with them? How do I tell the consumer how I’m working with that third-party analytics provider?" asked Reed. "There’s still a lot of work that’s ongoing and establishing industry best practices or continuing to work on establishing industry best practices is something we see a lot of."
In October, CTA issued broad privacy and security guidelines to help wearable members, which include Apple, Fitbit and Under Armour. Those guidelines aren't enforceable, said Reynolds, because companies in this sector are at "different comfort levels" in following such policies. Even a reasonably detailed privacy document requires integration into internal processes, procedures and contracts and that depends on the stature of a company, he said.
Michelle De Mooy, deputy director for CDT's privacy and data project and co-author of the CDT/Fitbit report, said she didn't think its commitment to the best practices would result in enforcement from the FTC or state attorneys general. But she hoped companies could use the report to figure out how to implement privacy and security that's sustainable and scalable. "Enforcement, as far as I'm concerned, right now is public opinion," she said. "If you're not going to communicate well with me, you're not going to make me really aware of what you're doing with my data [then] I'm not going to use this device."
Reynolds and Reed said the FTC under Section 5 of the FTC Act regarding unfair and deceptive practices along with its working groups and white papers about privacy clearly spell out its authority in this area. Adam Thierer, senior research fellow with George Mason University's Mercatus Center, also said threats of 20-year consent decrees from the FTC and negative public relations or media attention are likely some reasons why industry is proposing privacy guidelines to head off any future problems.
Reed said he expects a series of iterative privacy guidelines and recommendations to be released this year by technology industry groups, medical associations or through intragovernmental collaboration: One reason there isn't one set of privacy guidelines to "rule them all" is the evolving technology. Fox example, Reed said that skin sensors are being developed to pick up biomarkers to ensure that patients are taking their medication as required. It raises questions of how that collected data should be managed, who it should be shared with and how all that can be communicated with the consumer.
Reed and Reynolds said any guidelines should focus on regulating data uses. "This is why it’s important to focus on uses rather than regulating data itself or putting constraints on the data itself," said Reynolds. Restricting collection of certain types of data, volume of data or other characteristics could mean "fewer opportunities to leverage it for something good, innovative and positive," he said. "So it’s not ideal when we talk about things like minimizing the data that you get. The whole point is to get more and better data in order to create better outcomes."
There's more flexibility for companies when prohibiting uses of data, such as to prevent discrimination or to re-identify people," said Reynolds. "Certainly I’m not going to say, 'Collect anything and everything. It should be completely unregulated. People don’t care,'" he said. "They do care, but I think they care more about making sure that certain kinds of uses in certain sensitive contexts are prohibited. These things really change from industry to industry."
Editor's note: This is the second part of a two-part series. The first part looked generally at the CDT/Fitbit report.