What Are Fitness Apps Doing With Our Data?

Magnus Boyd, Sachin Bhatt 17 May 2022

In a world where there’s an app for everything, health and fitness is no exception. But just what do these apps mean for our privacy and security? Magnus Boyd, Partner in the Legal team, and Sachin Bhatt, Senior Associate in Cybersecurity, share their expertise on the legalities of data collection, and the security of this data from a cyber perspective.

We may be cautious about sharing detailed personal information on social media – but what about with specialist apps designed to improve your health?  Inputting data to fitness and health-related platforms, mapping your ride or tracking calories burned may seem like beneficial actions for your wellbeing, but could be bad news for your privacy.

Many of these apps, particularly fitness ones, are designed to enable you to share your activities and stats with others. This is, at best, a way to encourage healthy competition, but at worst a threat to your personal security. A recent study by Privacy International on the security concerns around diet apps found that they don’t always protect your data –  and in fact, they often share it by default. We may unknowingly be contributing to this by registering with these apps through a social media login or linking them to social media platforms. This could mean that platforms such as Facebook are able to access our health and activity related information.

When we begin to see targeted ads, the penny might drop. Whether its ads for pregnancy tests if a user has not logged a period cycle, or for supermarket items that we regularly input into a meal-tracking app, these could be tell-tale signs that certain health and fitness apps may be selling or sharing our data with third parties. 

Magnus Boyd, Partner and specialist in data privacy at Schillings explains that ‘apps can collect any sort of data including personal data. But the lawfulness of that collection hinges on the question of consent.’ Usually, by signing up, or mindlessly clicking an ‘agree’ button, we’re consenting. But we might not be sure of exactly what we’re consenting to.

‘Apps have to inform the user about who they will be sharing their data with [before they consent], but in reality, the third parties are not always listed in an easily accessible way. Instead, they’re often buried in lengthy terms and conditions or Privacy Notices.’ Magnus’ advice? Read the T’s & C’s – thoroughly: ‘the devil is in the detail’, he emphasises.

Sachin Bhatt, Senior Associate for Cyber at Schillings points out that ‘usability often comes with an associated cost of security and privacy. Enough consideration isn’t usually given to the implications of this cost – and its extent. Some apps come as bundles with fitness gadgets whilst others plug-in to a wide array of fitness devices. You may wish to consider the implication of what personal data is being shared and ask yourself if this is something you would normally volunteer up to friends, family or even strangers on the street’. Privacy policies of apps can change, so it’s a good idea to keep on top of the developments when they occur and fight the urge to just click ‘accept’ when you receive a pop-up.

‘Reading and understand the T’s & C’s is an important but a laborious exercise that unfortunately not many people do’, continues Sachin. ‘There are in-app security and privacy setting that you should change from the default to regain control and off-set the risk.’ Sachin suggests considering the following as a general rule of thumb:

  1. Are you comfortable with the default options of sharing and who your data is being shared with (everyone, all your contacts, limited people etc)?
  2. Have you reviewed geo-location settings to ensure you are happy with being tracked either all the time or during certain intervals of activity?
  3. Pay close attention to personalised advertisement and cookie settings. Limit these as much as possible.
  4. Ensure you login details are secure – a strong password coupled with two-factor-authentication  is always advised.
  5. Keep on top of updating the app and any devices it connects to. Vulnerabilities in the software can put your data at risk.

‘Whilst health and fitness apps can be incredibly useful, they should not come at the expense of user’s privacy, nor compromise the security of sensitive data’, explains Sachin. ‘There are also wider implications to consider from hacks, such as the one reported here, where data can be sold on the dark web. This data may be bought by a cybercriminal who is then able to use it, and in combination with exploiting other poor cyber security practices, could get hold of your identity, send phishing emails and possibly breach other accounts you have.’

As with any apps and platforms, being aware of individual privacy policies, being mindful of the implications of using the apps, and having good cyber routines, can go a long way to avoiding these types of situations. Whether using social media or fitness apps, the premise is the same: privacy and security should not be an afterthought.