Google’s decision to buy the health tracking device company Fitbit for $2.1 billion is raising concerns over how users’ data will be used by the tech giant.
Google appeared to anticipate the fears, noting in its announcement Friday that “privacy and security are paramount” to the company. Google promised to be transparent about the data it collects and to “never sell personal information to anyone.” Google also said it will not use the health data for its own ads, and will give users the choice to “review, move or delete their data.”
Fitbit, which has more than 27 million active users, echoed that message. “Strong privacy and security guidelines have been part of Fitbit’s DNA since day one, and this will not change,” the company said in a press release.
But data privacy experts caution that, while those sentiments might reassure some customers about the potential use of their personal health data, current laws and regulations do little to hold Google and other companies to their promises.
How health data can be used for profit
The San Francisco-based company Fitbit makes wearable devices that track the number of steps you’ve walked, your heart rate and quality of sleep, along with other personal wellness metrics. By acquiring Fitbit, Google expands the large pool of personal data it already collects.
Over the past 15 years, Google has purchased more than 200 companies including YouTube, Waze and Nest Labs, a company that makes smart home devices. Those acquisitions — in addition to its in-house products such as Google Maps and Google Search, along with the more than 124 million Android smartphones in use in the U.S. — provide Google vast amounts of personal data from which it can profit. Think of the targeted advertisements you might receive on various websites after you search for a pair of shoes on Google.
And even though Google said it will not use Fitbit data for ads, privacy advocates told the PBS NewsHour that there are plenty of other ways Google and its third-party partners can capitalize.
“Health data is the most valuable of all,” said Dr. Deborah Peel, the founder of the nonprofit advocacy organization Patient Privacy Rights.
Pharmaceutical companies could use the data to decide in which disease research they should invest their resources to develop profitable new drugs. Third-party businesses that purchase the data could also infer health-based behaviors and market their products accordingly.
Advocates say Google and other tech companies need to prove that only a small percent — if any — of the data they release can be rematched with individual users.
The threat of re-identification has led privacy advocates to question the motives of companies that create health apps, which have not been proven to improve health.
Apple’s own health app, which caused a rift between Apple and Fitbit when it launched in 2014, also collects data about users’ health through iPhones and the Apple Watch, but the company said the data is encrypted and is not used for business purposes.
People who use apps like Fitbit on their iPhones, however, are still subject to those companies’ privacy policies — not Apple’s — which might allow data sharing.
How privacy policies could change for Fitbit users
“At a certain point, it seems like technology companies are saying, ‘If you have a problem with this, don’t use it,’” said Dena Mendelsohn, senior policy counsel at Consumer Reports.
Privacy experts and business watchers say Google is unlikely to change Fitbit’s privacy policies too drastically because it doesn’t want to lose its core customer base. If policies do change, Google could still allow its customers to opt out of certain data collection and sharing practices while agreeing to others.
How laws aren’t keeping up with technology
Consumer Reports, Patient Privacy Rights and other groups say tech companies are given too much leeway when it comes to data collection and sharing. They advocate for stronger federal privacy laws.
“Without the baseline laws, consumers have to rely on the policy practices of any company they’re getting involved with,” Mendelsohn said.
Europe’s General Data Protection Regulation (GDPR) has forced some U.S. companies that operate in Europe to strengthen their data privacy laws. So has the California Consumer Privacy Act, which is set to take effect next year.
But U.S. federal law still has fewer restrictions on health data collected via apps than it does on medical devices used in hospitals, said John Verdi, vice president of policy at the Future of Privacy Forum, a nonprofit organization that seeks to improve data practices for emerging technologies.
The Federal Trade Commission can fine companies if they violate their own privacy policies or use data in a harmful way. The FTC fined Facebook a record $5 billion earlier this year for mishandling users’ personal information — although that fine was criticized as small compared to the money the company likely made from the misuse.
Google is also under investigation for potential antitrust violations and possible violations of consumer privacy.
A number of federal legislators responded to Google’s acquisition of Fitbit by calling for stricter enforcement of existing privacy regulations. So far there is no consensus among lawmakers on how to best address the quickly changing technology landscape.
“Legislation is one-size-fits-all by its nature. How do you come up with the right regulation that isn’t outdated the minute you publish it?” said Helen Goff Foster, a partner with the law firm Davis Wright Tremaine and a former privacy official at the Federal Trade Commission. “In privacy we haven’t figured that out yet.”
This story has been corrected to show that there are approximately 124 million Android smartphone users in the U.S.