The Consumer Electronics Association (CEA), which puts on the massive CES event in Las Vegas every January, just published a set of voluntary guidelines for how technology companies should approach privacy and security for personal wellness data collected by wearable devices and other connected wellness devices.
The CEA said the guidelines represent a consensus among its member companies, which include Apple, Google, Fitbit, Qualcomm, and Under Armor, and about 2,000 others. The CEA was quick to point out that the wellness data the guidelines focus on is personally identifiable data, and what companies do with de-identified data is not a focus of these particular guidelines. They were crafted with the objective of obtaining and maintaining consumer trust in the companies that offer devices and services that collect personal wellness data.
Here's a quick rundown of the principles:
Security: "A company should secure personal wellness data by deploying measures that are reasonable and proportional to the sensitivity of that data, taking into account that consumers generally have heightened expectations of security with respect to personal wellness data."
Fairness: "A company should not knowingly use or disclose personal wellness data in ways that are likely to be unjust or prejudicial to consumers’ eligibility for, or access to, employment, healthcare, financial products or services, credit, housing or insurance."
Enable Personal Review, Edits, Deletion: "A company should provide a user with a means to review and correct the company’s stored personal wellness data if the company intends to share it with a third party that will determine the user’s eligibility for, or access to, employment, healthcare, financial products or services, credit, housing or insurance." The guidelines also suggest an option to delete the data if a user so desires.
Advertisements opt-out: "A company that tailors advertising based on users’ personal wellness
data should provide users with the ability to opt out of such advertising."
CEA officials chose not to respond to that particular question, but it could be an important one if a company with one of the larger data sets of personal wellness data is acquired by, say, a health insurance company. Whether or not such a deal would lead to the feared consequences, if the wrong kind of unaffiliated third party all of the sudden becomes an affiliated one, it might make obtaining and maintaining consumers' trust difficult for all companies collecting wellness data.