Fitness trackers breaking privacy laws, says watchdog

Multiple fitness wearables makers are facing a formal complaint from Norway's consumer watchdog for allegedly breaking European privacy laws and exploiting their users' information.

Fitbit, Jawbone, Garmin and Mio were slammed by the Consumer Council of Norway for failing to protect their customers' personal information and breaching data protection and consumer laws.

The rights body analysed the four companies' privacy policies and found the terms allow them to collect more personal data than is required for their services.

It also said Fitbit, Jawbone, Garmin and Mio are not being sufficiently transparent about how their users' information is used, do not give users "proper notice" when changing their terms, nor do they provide sufficient detail about how long they will store users' data for.

The vague terms and conditions for the data collecting apps that accompany Garmin, Fitbit, Mio and Jawbone wearables mean that the companies could be sharing sensitive information about users' health, activities and location with third parties.

"It is important that we don't give up basic rights in order to use the products and services of the future," said Finn Myrstad, director of digital services for the Norwegian Consumer Council.

While acknowledging that fitness wearables are "useful tools for monitoring and motivating fitness activities", he said users should be aware of how companies are using their personal health and location data.

"We fear that this information can be exploited for direct marketing and price-discrimination purposes, and that basic privacy principles are being neglected," said Myrstad. 

The Consumer Council previously warned that fitness apps including Runkeeper, MyFitnessPal, Strava and Lifesum were exploiting user data by retaining it after accounts had been deleted, as well as tracking them when they weren't exercising.

"We still have a long way to go before we are satisfied," said Myrstad. "We remain convinced that companies who respect their users' consumer and privacy rights will have a competitive advantage in this market."

The Consumer Council wants the companies in question to allow its users to change their privacy settings, and remove information sharing as a default option.

It also said, "it should not be more difficult to delete and account than it was to create it".

Fitbit said it is committed to protecting its users' privacy and that it does not sell user data. "We have never sold personal data and we do not share personal data unless a user specifically directs us to do so, or under the limited exceptions described in our privacy policy.

"Fitbit tries to employ clear, non-legalese language in our policies so our users understand what data we collect and how we use it, and we continually look for ways to improve our written policies."

Jawbone said: "We only share users' data if they ask us to - for example to integrate with a third party app.

"We are custodians of the user's data. We collect it, analyse it, and present it back to the user with meaning. The user may give us permission to share that data." Its users can also download their data and ask Jawbone to delete it, the company added.