Fitness Trackers: How Safe Is Your Data?

From Apple Watches to Fitbits and Strava, fitness trackers are everywhere. These devices have evolved far beyond simple step counters. Today, they monitor everything from heart rate and sleep to menstrual cycles and even stress levels. Many are also using artificial intelligence to tailor workouts and improve performance.

With all this personal data being collected, it’s important to ask: how is it being used, stored and protected?

What Data Is Being Collected?

Fitness trackers gather a wide range of personal information, including:

• Health and biometric data - such as weight, heart rate, blood pressure, oxygen levels, sleep patterns, and reproductive health. This is sensitive information, often shared only with medical professionals.
• Location data - GPS tracking can be used to map workouts, calculate distances and suggest routes. Some now use AI to create tailored plans and routes using data collected during workouts and can predict common routes or suggest routes based on location. Some devices track location constantly, even when you’re not exercising.
• Fitness metrics - including steps, distances, calories burned, and cardiovascular strain. Some apps also track food intake and offer diet suggestions.
• User details - like name, age, gender, contact information and nationality.
• Aggregated information - data is often combined to build a profile of your habits, which can be used to personalise your experience.

How Is This Data Used?

Most users expect their data to help them stay healthy. But many fitness apps and devices also use it in other ways, often outlined in the small print:

• Data sharing - Fitness tracker providers may share information with third parties to create targeted advertising campaigns tailored to the user.
• Aggregated data - Aggregated data can often be shared with fitness providers' partners (for example, where a user links their social media to their fitness trackers, aggregated data may be shared to tailor advertisements on the user's social media feeds). Providers may also use aggregated information, at times anonymised, to analyse trends in communities of users to understand features with the most engagement.

What fitness tracking providers can do with user information will depend on the information contained within an organisation's privacy and data protection policies.

What rights do users have?

Under UK data protection law, individuals have the right to ensure their personal information is handled fairly and properly. The UK GDPR sets out seven key principles which form the core for use of personal information. These key principles are:

• Lawfulness, fairness and transparency - Personal information should always be used in compliance with the law. Processing should be fair, and individuals should always know what information is being used, how it is being used, and why such use is necessary.
• Purpose limitation - Personal information should only be used for the purpose for which it is collected. In the case of fitness wearables, this will primarily be fitness tracking, but secondary uses may be contained within providers' terms.
• Data minimisation - Organisations should only collect personal information which is strictly necessary to fulfil the stated purposes.
• Accuracy - Personal information which is collected and retained should at all times be accurate.
• Storage limitation - Personal information should only be stored for as long as is necessary to fulfil the stated purposes.
• Integrity and confidentiality - Personal information should be held safe and secure, away from prying eyes or bad actors, and anonymised or pseudonymised as far as possible.
• Accountability - Organisations who collect personal information should at all times be held accountable for their actions.

What can organisations do to help users protect their privacy

Organisations in the UK are bound by legal obligations under the UK GDPR and Data Protection Act 2018 to ensure that personal data is managed securely and kept safe.

1. Allow users to review data privacy settings and understand how data will be used - Users should be able to check privacy policies to understand how their personal information will be used. They should also be able to check settings to limit data sharing, prevent unnecessary tracking and ensure that privacy controls are configured for comfort. Many policies and parameters are updated regularly, and it is important users remain aware of how their information is handled.
2. Secure accounts - Users should be encouraged to choose strong passwords for their accounts and, if possible, enable multi-factor authentication. Educating users about potential cyber security risks in fitness apps and wearables, and the need to maintain the latest software updates and security patches, will help to build customer trust and confidence.
3. Third-party access - While linking fitness trackers to other services is a great way of making fitness more engaging and social, users must be told what personal data is being shared and with whom.
4. Audit and delete data regularly - Periodically review collected data and delete unnecessary information. Review the third parties with whom users’ personal information is being shared and, if no longer necessary, stop the sharing.

Final Thoughts

Fitness trackers have transformed how we approach health and wellbeing. They offer personalised insights, motivation and support - but they also rely on a steady stream of personal data.

As users, we need to stay informed and have control of our privacy. And as providers, organisations must be clear, responsible and accountable in how they handle that data.

Because in a world where data is power, protecting it matters.