On Wednesday, August 17, 2016, the Future of Privacy Forum (FPF) released a set of detailed guidelines for the collection and use of consumer-generated wellness data. The document, Best Practices for Consumer Wearables & Wellness Apps & Devices, was drafted by FPF with input from a wide range of stakeholders, including privacy advocates, companies, and regulators. The Best Practices guidelines set forth a Fair Information Practice Principles (FIPPs)-based trust framework that builds on existing legal expectations to provide a set of best practices designed to result in providing appropriate protections in light of the nature and sensitivity of the data.

Although much of the information collected and used by wearables and other wellness technologies is already subject to legal protections—for instance, COPPA, HIPAA, the FCRA, or the ADA—some health information and tools may fall outside of these laws and are not covered by specific sectoral protections. According to the FPF, these Best Practices are designed to address such gaps and to add more specific guidance where general privacy statutes may apply to health and wellness apps and devices.

The FPF guidelines come on the heels of last month’s U.S. Department of Health and Human Services (HHS) report, which articulated significant gaps in regulating health information privacy and security. This finding is supported by the results of a FPF mobile study, which notes that, while the number of apps that provide privacy policies is generally increasing, health and fitness apps perform worse, on average, in providing privacy policies. The rate of accessible privacy policies in the wellness space has raised concerns among consumers and privacy advocates, as wellness apps and their associated wearables are likely to have access to health and other physiological or sensitive data about their users.

The Best Practices guidelines are organized around nine familiar principles. We’ve outlined these principles and provided a brief summary of the FPF guidelines below.

1. Notice/Transparency

The guidelines suggest that companies provide access to a publicly-available privacy policy specifying what data is collected; how the data is collected, stored, used, secured, and disclosed; how the data is used for advertising; information about deidentifcation of data (if any); information on the use of data for research purposes; users’ options regarding access, correction, or deletion; whether and how information would be collected from non-users; and information on responses to requests for data by government authorities.

The guidelines contain additional requirements, such as the identification of a data protection officer, in the event that underlying data is collected from EU individuals.

2. Choice/Consent

The guidelines set forth criteria for when an entity should obtain express consent, including when the entity intends to engage in secondary uses of the data where such uses are incompatible with the primary purpose for which the data was collected. The Best Practices guidelines appreciate the potential difficulty in the wearables sphere of obtaining consent for sharing data with a third party, and explicitly provides that express consent to such sharing may be obtained “via a separate process” between the individual and the third party.

The Best Practices also provide additional guidance on obtaining informed consent from users where the data will be shared for research purposes.

3. Advertising

The Best Practices guidelines take a strong position on the sharing of data collected by wearables and health and wellness apps for advertising purposes, stating that “covered data may not be sold to advertising platforms, data brokers, or information resellers, even with express consent.” (emphasis added) The document also states that users should be given the option to opt-out of first party advertising on the basis of such data.

4. Limitation on Collection and Uses

The Best Practices document adopts the widespread position that entities may not use data in a way that would be incompatible with the purpose for which it was initially collected without obtaining express consent. In addition, however, the Best Practices guidelines enumerate a number of restricted uses for which covered data must not be used without express consent. These restricted uses include: employment eligibility, credit eligibility, healthcare treatment eligibility, and insurance eligibility, among other things.

5. Sharing

In general, the Best Practices guidelines adopt familiar positions on the sharing of data with third parties. For instance, covered data may be shared without express consent if reasonably necessary to comply with law and to preserve the security and safety of people or property.

However, with respect to vendors, affiliates, partners, agents, and similar parties, the guidelines provide that an entity may share with such third parties without obtaining the user’s express consent provided that appropriate privacy and data security contractual controls are in place, including limitations on data uses, prohibitions on attempts to re-identify data, and appropriate data security. This explicit requirement for privacy and data security contractual provisions is in line with general data transfer trends—including the Privacy Shield Framework—which require that entities include in contracts with third parties express provisions addressing privacy and data security prior to engaging in certain data transfers.

6. Access, Accuracy, Correction, & Deletion

The Best Practices guideline requires that companies make covered data available to the user, provide a means to ensure that the data is accurate and kept up-to-date, and allow users to dispute the accuracy or completeness of the data. The guidelines acknowledge that the availability and extent of such functions must be balanced with the costs and practical and technical feasibility.

In addition, it is worth noting that the guidelines provide that companies should afford users with easily accessible mechanisms to request the deletion of covered data. And, if a company should decline to correct or amend data following such request by a user, the company must, upon request, delete such data.

7. Limited Retention

The Best Practices guidelines suggest companies maintain internal data retention policies. The guidelines suggest that covered data be maintained for no longer than necessary for reasonable operation of the service, or so long as the user maintains an account with the company. This guideline therefore suggests that companies with wellness apps and devices consider implementing a mechanism that would result in the deidentification or deletion of consumer data upon deletion of a consumer account.

8. Data Security

The Best Practices guidelines adopt widely accepted data security norms, including that wellness apps and devices have in place comprehensive security programs appropriate for the nature, context, and scope of the data and activities, and which contain administrative, technical, and physical safeguards.

9. Accountability & Enforcement

Internally, the Best Practices suggest companies have in place processes and procedures to address privacy risks and protecting covered data. Externally, the Best Practices suggest companies include appropriate provisions in terms of service, developer terms, and other similar agreements. As described in “Sharing,” the Best Practices again highlight that companies should contractually obligate vendors, partners, recipients of de-identified or covered data, and others to adhere to appropriate privacy and data security provisions.