Is Google’s Purchase of Fitbit a Data Privacy Risk?

A World of Hurt? — Is Google’s Purchase of Fitbit a Data Privacy Risk?

Part 2 in a 3-part series on the data privacy vs. big tech battleground.

On November 1st, 2019, Google launched a bomb into the world of personal data privacy, triggering in just over 400 words the publication of hundreds of thousands of words of concern related to data privacy. On that day, the company announced its acquisition of Fitbit, a wearable device that tracks personal metrics, including a person’s exercise, calories, weight, sleep habits, and much more.

The notice from Rick Osterloh, Senior Vice President, Devices and Services at Google, explained the company’s reasoning — expanding into the popular wearables marketplace — and addressed the mega-gigabyte elephant in the room:

“When you use our products, you’re trusting Google with your information. We understand this is a big responsibility and we work hard to protect your information, put you in control, and give you transparency about your data. Similar to our other products, with wearables, we will be transparent about the data we collect and why. We will never sell personal information to anyone. Fitbit health and wellness data will not be used for Google ads. And we will give Fitbit users the choice to review, move, or delete their data.”

Sounds good, right? Yet, experts have concerns:

“This could prove troubling to the 25 million active users of Fitbit whose personal data is now in the hands of one of the world’s largest and most powerful tech companies. On its own, that data provides some meaningful information about a person’s private life … if that data is also connected to the broader set of information Google tracks — what you search for online, what emails you send, where you go — that could present a pretty comprehensive profile of a person’s existence.” – Vox

“Even if Google claims it won’t use Fitbit health data for advertising, the acquisition is probably bad for user privacy,’ said Paul Bischoff, a privacy advocate with Comparitech. ‘Just because the companies say user data will not be used for advertising now does not mean that won’t change. Fitbit says health and wellness data will not be used for advertising, but that leaves plenty of other information for Google to gather.’” – The Guardian

“Because your health can determine what you can and can’t do, it can determine your vulnerabilities, your limitations … Another (big risk is) the data being offered to employers, insurance companies, financial firms, and others who may be interested in knowing people’s health and disease status. Could a company be less inclined to hire, insure, offer credit to, or invest in you if you have certain pre-existing conditions or are deemed by an algorithm as a health risk? How may your promotions and career advancement be affected? What products, services, and discounts will you have or not have access to given your health status?” – Forbes

What Fitbit Data is Available to Google?

These data privacy risk concerns are valid, especially when considering that the data Google will gain access to, derived from Fitbit’s terms of service, include:

  • Names
  • Emails
  • Passwords
  • Dates of birth
  • Gender
  • Height and weight
  • Credit card information
  • Mobile phone numbers
  • Profile photos
  • Biographies
  • Countries
  • Device information
  • Usage logs
  • Messages
  • Number of steps a person takes, distance traveled, calories burned, active minutes
  • Heart rate and sleep stages
  • Every place users have been while wearing Fitbit
  • Users’ life plans, goals, actions, calendars (from Fitbit’s life coaching service)

What Recourse Will Fitbit Users Have?

To be on the safe side, many Fitbit users have given up their beloved devices. However, less drastic options are available.

Fitbit is allowing users to delete their accounts on its website. The company will permanently delete data associated with an account after a seven-day grace period.

This privacy offer says a lot about both people’s concerns about their personal data. It also speaks to how companies should be prepared to step up and respond promptly to personal data privacy concerns by using data protection solutions that help discover, classify, and protect sensitive personal data.

Check back in two weeks for the final blog post in this 3-part series on the data privacy vs. big tech battleground as we explore other areas of data privacy risk.

Related Blog Posts

Blog Post
Women in Cybersecurity Series Featuring Penni Kessler, Director of Product Management at Spirion
Blog Post
Women in Cybersecurity Series Featuring Cully Buchanan, Director of HR at Spirion
Blog Post
10 Data Privacy Tips for Staff and Students in Education
Blog Post
8 Remote Work Productivity and Security Tips from CSO Mike Scott
Blog Post
5 Data Privacy Tips For Remote Work
Blog Post
RSA Roundup Podcast Episode with Gabe Gumbs and Cameron Ivey