Your Smartwatch Tracks a Health Diary Few Laws Guard

Putting on a smartwatch or smart ring now means handing a private company a rolling health diary, and in the US that diary often sits outside the protections consumers assume apply to medical data.

That is the hard bargain inside the wearable boom, according to ZDNet: users get sleep scores, fitness feedback, fertility tracking, and convenience, while device makers receive a steady stream of personal information that can move through apps, cloud services, third-party connections, and privacy policies few buyers read closely.

A sleep score now comes with a privacy bill

The privacy problem isn’t that wearables collect data. That’s the product. The problem is that fitness, sleep, fertility, and other health signals are generated by users, processed by platforms, and governed largely by terms of service rather than a single federal consumer health privacy law.

ZDNet’s reporting frames the core risk plainly: the more health data people collect, the more they expose themselves to breaches, third-party sale, marketing uses, insurance profiling, or other purposes they may not realize they accepted.

"People were cautious years ago when it came to more sensitive data types, but increasingly they're finding enormous value in being able to access and use that information," Jules Polonetsky, CEO of the Future of Privacy Forum, told ZDNet. "The downside is they're not always taking the time to think through where, when, and how they ought to be taking any precautions."

XOOMAR analysis: This is the wearable industry’s central tension. The same data that makes a device useful also makes it sensitive. A watch that only counted steps was a gadget. A ring that tracks sleep and fertility signals is closer to a private health ledger, even if the law doesn’t always treat it that way.

The wearable data trail is wider than the device on your wrist

ZDNet says modern wearables go beyond step counting and constantly collect information on fitness, sleep, fertility, and related health activity before uploading it to an app. The article also points readers to the practical privacy questions that follow: whether data stays on the device or moves to the cloud, whether it is end-to-end encrypted, and whether it is shared with third parties.

That makes the data pipeline bigger than most buyers picture at checkout.

A wearable can connect to a phone. The app can connect to other services. ZDNet gives a concrete example: exercise equipment at a gym may connect to a smartwatch, and the user may forget the connection exists. The watch could still be sharing information with that treadmill.

That’s why dormant data matters. ZDNet advises users to delete information from smartwatches or smart rings they no longer use, rather than leaving records sitting in an account or device that might later be exposed in a breach.

XOOMAR analysis: The risk isn’t only one dramatic data leak. It’s accumulation. Small permissions can become a long chain of access over time, especially when users keep adding apps, devices, and AI tools to interpret the same health file.

HIPAA leaves a gap most wearable buyers don’t see

The biggest misconception in wearable privacy is HIPAA. ZDNet notes that the Health Insurance Portability and Accountability Act, passed in 1996, does not cover data collected by consumer wearables because those companies are not considered covered entities in the way healthcare providers are.

That leaves consumers leaning on state privacy laws and company policies.

Over 20 states have passed comprehensive data privacy laws, ZDNet reports. These laws generally give consumers rights to access, delete, and opt out of the sale of personal information. But the rules vary by state. Without a federal privacy law, Polonetsky described the result as a “patchwork quilt of requirements.”

"Consumers are increasingly interested in downloading, accessing, and using their health data for fitness, or managing their family's health records, but really have to be sleuths to understand whether or not they are protected based on the state they're in," Polonetsky said.

Caitlin Fennessy, vice president and chief knowledge officer of IAPP, told ZDNet that in the absence of federal regulation, the real governing documents are often the terms of service and privacy policies.

"What governs the use and protection, collection and sharing of your personal data and health data in all of these instances is the terms of service and privacy policies," Fennessy told ZDNet.

That is a weak position for consumers. Privacy policies are legal instruments, not product labels. Most users are not comparing clauses before choosing a watch or ring.

The market is already too large for privacy to stay optional

ZDNet cites Statista data showing more than 560 million people worldwide now own smartwatches, including more than 1 in 4 Americans. That scale changes the stakes. Wearable health privacy is no longer a niche concern for quantified-self enthusiasts. It is mainstream consumer infrastructure.

The source also points to a 2025 analysis in npj Digital Medicine that evaluated privacy policies from 17 leading wearables manufacturers using 24 criteria across transparency, data collection purposes, data minimization, user control and rights, third-party sharing, data security, and breach notification.

The results were uneven.

The paper’s own summary, quoted by ZDNet, is direct:

"Our findings highlight inconsistencies in data governance across the industry and underscore the need for stronger, sector-specific privacy standards."

XOOMAR analysis: This is where trust becomes a product feature. If two devices track similar health signals, the privacy policy, data controls, and business model start to matter as much as battery life or design.

“Free” health insights deserve extra suspicion

ZDNet’s most useful test is simple: ask how the company makes money.

Polonetsky told ZDNet that if users pay real money for a device or service, the company has a clear incentive to keep them satisfied. If the service is free, the consumer should look harder.

"If it's free, you really want to look closely and understand where and how someone's giving you a free service. If they're not a charitable enterprise or a HIPAA-covered medical provider, somewhere monetization is happening, and it's probably your data."

That doesn’t mean every paid device is safe or every free feature is abusive. It means pricing can reveal incentives. When the business model is unclear, users should assume the privacy review needs to be stricter, not lighter.

The same consent problem now overlaps with AI. ZDNet specifically warns that users who upload wearable health data to an AI chatbot should check settings if they don’t want that data used for training, or use a temporary chat. It also advises against uploading documents with personally identifiable information unless they are redacted or anonymized.

That advice sits beside broader platform-trust questions XOOMAR has tracked in 95% of Claude Fable 5 Sessions Put AI Safety on Trial and Snapchat Locks Teens Under 16 Out of Spotlight Fame: users are being asked to rely on settings, disclosures, and company promises at the exact moment platforms are expanding what they can infer from personal data.

The privacy prescription is boring, necessary, and overdue

ZDNet’s practical advice is not glamorous. It is also the right starting point.

• Read or summarize the privacy policy: ZDNet suggests reading it, asking a chatbot for a summary, or searching for “data” to find where information goes.
• Look for public privacy claims: Companies that prioritize privacy tend to explain whether data stays on-device, goes to the cloud, is encrypted, or is shared.
• Delete old wearable data: If a watch or ring is no longer used, remove the data rather than leaving it exposed to future breach risk.
• Audit connected services: Check what your phone and wearable are linked to through Apple or Google account settings.
• Control AI training settings: If using a chatbot to analyze health data, turn off training where possible or use temporary chat.

The industry’s task is larger. ZDNet’s reporting supports a clear conclusion: wearable makers need clearer privacy communication, stronger user controls, and standards that don’t depend on which state a buyer lives in.

The next test is evidence. Stronger on-device processing, clearer third-party sharing disclosures, simpler deletion controls, and tighter AI data settings would support the thesis that wearable companies see biometric data as borrowed from users. More vague privacy policies, hidden integrations, and confusing opt-outs would point the other way.

What This Means For You

• Wearables can turn everyday health signals into sensitive personal records controlled by private companies.
• US consumers may not get the medical-data protections they assume apply to smartwatch or smart ring information.
• The convenience of sleep, fitness, and fertility tracking comes with risks from data sharing, breaches, marketing, and profiling.