The Consumer Electronics Association (CEA), which puts on the CES event in Las Vegas every January, has published a set of voluntary guidelines for how technology companies should approach privacy and security for personal wellness data collected by wearable devices and other connected wellness devices.
The CEA said that the guidelines represent a consensus among its member companies, which include Google, Fitbit, Qualcomm, Under Armor and about 2,000 others. The CEA was quick to point out that the wellness data the guidelines focus on is personally identifiable data, and what companies do with de-identified data is not a focus of these particular guidelines. They were crafted with the objective of obtaining and maintaining consumer trust in the companies that offer devices and services that collect personal wellness data.
There are several different principles which apply to this:
On security it states, “a company should secure personal wellness data by deploying measures that are reasonable and proportional to the sensitivity of that data." A company should base their data protection on how sensitive the data is, some data may be strictly confidential, whereas others could be shared with certain people etc.
Secondly, regarding privacy policies it says, “A company should have a clear and easily understood written policy for collecting, storing, using, and transferring personal wellness data." This is so everyone knows how their data will be used and what they are giving their data away for. This will make everything safer and equal.
Thirdly, treating customers fairly. A company shouldn’t disclose any personal wellness data in ways which can be unjust, for example, information about people's health, employment or financial status.
Finally, advertisements should come with opt-outs. Any business which uses personal wellness data for advertisements should allow people to opt-out if they want to.
One issue which was raised at the event which is of interest is: "What would happen if a company was to acquire another, would there be any consequences to this? Would the acquisition of a company lead to the wrong kind of third party obtaining the personal information?". This issue, although not answered, highlights a point around the type of due diligence needed in this type of scenario and how the transfer of data now fits into that process.