Since news broke that Google bought Fitbit for $2.1 billion, one of the big questions was how that massive treasure trove of Fitbit data would be handled. Everyone saw what happened with Nest. As a company, Nest and its data operated separately for a long while, but earlier this year, Nest users were told to migrate their accounts. Their data was now Google’s data. The prospect has reportedly led some current Fitbit users to mull alternative options, citing distrust that Google would keep its word that Fitbit users’ data would remain private. Concerned Fitbit users have good reason to be wary—but truth be told, Fitbit started exploring ways to make money with your data a long time ago.
To the average person, Fitbit is more or less known for its hardware. However, one of its lesser-known businesses is its Fitbit Health Solutions division. It peddles Fitbit Care, the company’s “enterprise health platform” that’s marketed toward employers, health plans, health systems, and researchers. In a nutshell, employers or health plans get a custom storefront that encourages employees to get discounted Fitbit trackers and smartwatches. During setup, the employees are then enrolled in the company’s wellness program—which includes a data analysis platform that “helps program administrators easily motivate employees and evaluate impact.” Among the engagement insights advertised, administrators can see continuous participation levels and engagement, the proportion of employees that meet, fail, or exceed a company or plan’s activity goals, trends, as well as group reporting on specific metrics like steps and active minutes. Individual and group level data are also available for export.
It’s a lot, and there’s a chance your company or health care provider has already vaguely floated the option to you in an email about benefits. John Hancock, one of the largest North American life insurers, announced in 2018 that it will only sell interactive policies that make use of wearables like Fitbit or Apple Watches. Customers who bought in could qualify for cheaper premiums and Amazon Prime memberships. Likewise, Blue Cross Blue Shield also launched an exclusive program with Fitbit last year that offered weekly deals and special offers on services, gym memberships, and other products. UnitedHealthcare also launched a program that slaps a Fitbit Charge 3 on your wrist with the potential to earn more than $1,000 a year in incentives if they met certain step goals. Rounding things out, when the company initially launched the Fitbit Inspire, it was reportedly only available through insurers (though you can now buy it directly from the site).
It’s not like Fitbit has tried to hide this part of its business. At press conferences and product launches, there’s always a brief section on how this part of its business is doing—and the numbers seemingly go up with each subsequent update. It’s just not headline-grabbing in quite the same way as a shiny new tracker or smartwatch.
As hardware sales began dipping amid rising competition and a shift away from basic trackers, this part of its business—the part that is fueled in part by the knowledge Fitbit has a mountain of actionable data—has only grown. Earlier this year, Fitbit CEO James Park said during an earnings call that he expected Fitbit’s “Health Solutions revenue growth to accelerate approximately $100 million and to grow non-device consumer revenue.” Park added that 6.8 million Fitbit users had plugged into the enterprise platform and that its devices were part of 42 Medicare Advantage programs in 27 states nationwide. Is Fitbit directly profiting off individual health data in this scenario? No. But it is, in a sense, selling a product based on the fact that it has access to a lot of people’s health data.
“I think we believe we can drive very significant value by integrating more closely with healthcare,” Fitbit Vice President Steve Morley said in an interview with CNBC. Asked about Fitbit’s approach to privacy with regard to insurers ‘knowing too much’, Morley said “Our privacy policy is pretty simple. The data belongs to the consumer, the user. It’s for them to choose what data they share. If you put the consumer in control of that data, with providers or anyone else they’re wishing to share that data with, with that fundamental tenet, we believe the right information can be shared by consumers for the right outcomes.”
It’s true these corporate wellness programs are opt-in, but that puts the onus on consumers to know the ins and outs of multiple privacy policies. Poking around Fitbit’s privacy policy raises a few questions about how much control a user actually has over their data once Fitbit has it. Specifically, some customers spooked by the Google-Fitbit acquisition have been asking on Twitter how to delete their data. You can’t simply delete the app—you must delete your data manually. Fitbit says that most information will be deleted in 30 days but that it could take up to 90 days to delete all information and that even then, it may “preserve data for legal reasons or to prevent harm.” Anecdotally, one user noted on Twitter that even after deleting reproductive health data, some trace of it remained in Fitbit’s app and that back-and-forths with customer service did nothing to resolve the issue.
In the section on data retention, Fitbit says “We also keep information about you and your use of the Services for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the How We Use Information and How Information Is Shared sections.” Does that include exercise data even after you delete your account? What data that falls under “use of the Services” constitutes legitimate business interests? What does “as long as necessary” even mean? Gizmodo reached out to Fitbit for further clarification, but did not immediately receive a response.
Perhaps underscoring all this is that the acquisition isn’t even the first data-related dealings between Fitbit and Google. In April last year, Fitbit announced the two companies were working together to develop “consumer and enterprise health solutions.” Basically, Fitbit was interested in Google’s Cloud Healthcare API to again, further Fitbit’s integration within the healthcare system by “connecting user data with electronic medical records.” As part of the effort, Fitbit moved onto the Google Cloud Platform, a move the company itself described as helping to “accelerate the Fitbit Health Solutions business and expand deeper into population health analysis.”
Technically, none of this runs afoul of privacy laws at the moment. That said, HIPAA—the legislation that currently serves as the main protection for health data—is woefully out of date and ill-equipped to handle newer technologies. As for data collected by wearables? That’s not covered by HIPAA. Fitbit’s privacy policy does specify that data shared with third parties and the public is either aggregated or anonymized. Except, studies show that de-identified data can be easily re-identified.
This is just a reminder that Fitbit views its data as a valuable source of revenue, and has been looking to leverage it for a long time. Google didn’t need to be in the picture for this to be a concern. Until there’s stricter privacy legislation on what tech companies can and can’t do with your health data, the safest option is never putting one on your wrist in the first place.
