Privacy by Design Key for Wearables as Health Data Regulation Grows, Says Lawyer
Companies selling wearable devices should start with privacy by design to better comply with a growing body of privacy laws, said Duane Morris privacy attorney Michelle Donovan during the law firm’s webinar Tuesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
"Wearables collect quite a lot of information about people, including personal information that is both sensitive and granular through essentially continuous sensor monitoring,” said Donovan. “This can include the accelerometer, gyroscope sensors, heart rates, GPS, biometric inputs and also, oftentimes, precise geolocation.” With AI and machine learning, many inferences can be made from this data, including about “a person's stress level, medical conditions, fertility insights and … behavioral patterns.”
However, most life-science and wellness wearables remain outside the scope of HIPAA, the federal health privacy law that only covers data collected through devices or apps provided by HIPAA-covered entities or their business associates, said Donovan. Washington state aimed to fill that gap with its My Health My Data Act, which includes a private right of action, she noted. New York legislators passed a similar bill, but it awaits the governor's approval (see 2507310030).
Donovan noted that many states’ comprehensive privacy laws treat health and precise geolocation data as sensitive information, a category for which most laws require opt-in consent before collection. However, she said the California Consumer Privacy Act takes a different approach, giving consumers "the right to limit the processing of sensitive information to anything outside the scope of what is statutorily permitted.”
For compliance readiness, Donovan said it’s important to understand what health data is being collected and how it flows. Questions should include “Are we collecting precise geolocation? How is it collected? Where is it stored? How are we sharing it?” said the lawyer: Then a company should categorize data by level of sensitivity and “analyze the security risk of each category of data.”
A good way for wearable providers to mitigate risk is through privacy by design, Donovan said. "You want to start by saying, ‘As we're building this device, we want to understand exactly what … information we're collecting.’”
That includes having a “data map at the device creation and design level” and “understanding, as you implement” third-party software development kits or application programming interfaces, “what information is going to be transmitted or shared through those SDKs and APIs,” the lawyer said. It’s also important to “have contract terms in place so that you don't end up with unauthorized disclosures or unauthorized use of sensitive data that could trigger compliance requirements.”