You wear your fitness tracker 24/7. It knows your resting heart rate, your sleep cycles, your GPS routes, your stress levels, and — depending on the model — your blood oxygen, menstrual cycle, and ECG readings.
Here's the question most people never think to ask: who else has access to that data?
The answer depends almost entirely on which brand you're wearing. And the gap between the best and worst performers is significant.
The HIPAA Gap (Most People Get This Wrong)
Before anything else: your fitness tracker data is almost certainly not covered by HIPAA.
HIPAA applies to covered entities — hospitals, health insurers, healthcare clearinghouses, and their direct business associates. Consumer wearable companies (Fitbit, Garmin, Apple, Whoop, Oura) are none of these.
Your smartwatch heart rate data has fewer legal protections than a doctor's handwritten note. The only frameworks that partially apply are state laws — California's CCPA, Illinois' BIPA — and even those have significant gaps.
What you're left with: each company's own privacy policy. Let's go through them.
Fitbit (Now Google Health): ⚠️ Caution
As of May 2026, all Fitbit accounts have migrated to Google accounts. Your health data is now governed by Google's privacy policy.
What the data says:
- Fitbit collects 23 data types per Apple's App Store privacy labels — the most of any tracker in this comparison
- Google has committed that Fitbit health data won't be used for Google Ads
- The privacy policy still permits sharing aggregated/de-identified data for "research and commercial purposes"
- Analytics SDKs from Meta and Google are embedded in the app, transmitting usage data
The re-identification problem: A 2024 Imperial College London study found that supposedly anonymous fitness datasets could be re-identified with 87% accuracy using just three data points: age range, zip code, and activity pattern. "De-identified" isn't as safe as it sounds.
In 2026: Whoop faces a class-action lawsuit in California for data-sharing practices with advertising partners — a signal of where regulatory pressure is heading across the industry.
Top comments (0)