Warning: *privacy not included with this product
Fitbit Inspire 3
If you want a little tracking--activity, heart rate, sleep--without the extra bells and whistles, this little bracelet could be for you. Just think, in the year 1820, the word tracker meant someone who was good at finding and following animals (or people). Now, in the 21st century, tracker means technology we strap to ourselves to tell us how active we've been and if we've got an irregular heart rhythm. Bet they never saw that coming back in 1820. Another thing they never saw coming? Google. Who, by the way, is the new keeper of all your Fitbit health data.
What could happen if something goes wrong?
So, what's going on with Fitibit's privacy? Well, Fitbit can collect a good amount of data, as most fitness trackers do. They say they collect things such as name, email address, phone number, birth date, gender, height, weight, location, wi-fi access points, and of course all the body related data like steps, activity, sleep, stress, calories burned, and more. Fitbit also says they can collect data from third parties social media sites like Facebook and Google if you choose to connect them (please, don’t) and from employers and insurance companies if you choose to share to receive wellness benefits or discounted or free services (again, not a good idea).
Fitbit also says it can share non-personal information that has been de-identified or aggregated. This is pretty common, but still, can be a bit of a concern as it’s been found to be pretty easy to re-identify these data sets and track down an individual’s patterns, especially with location data. So, be aware with Fitbit--or any fitness tracker--you are strapping on a device that tracks your location, heart rate, sleep patterns, and more. That's a lot of personal information gathered in one place.
What’s the worst that could happen with Fitbit and all the personal and health related data it collects? Well, in 2021 it was reported that health data for over 61 million fitness tracker users, including both Fitbit and Apple, was exposed when a third-party company that allowed users to sync their health data from their fitness trackers did not secure the data properly. Personal information such as names, birthdates, weight, height, gender, and geographical location for Fitbit and other fitness-tracker users was left exposed because the company didn't password protect or encrypt their database. This is a great reminder that yes, while Fitbit might do a good job with their own security, anytime you sync or share that data with anyone else including third party apps, your employer, or a insurance company, it could be vulnerable.I don’t know about you, but I don’t need the world to know my weight, how well I sleep, and where I live. That’s really dang creepy.
What else? Well, Google can collect information from many of the other third-party fitness and health apps you choose to connect to Fitbit. We usually suggest not doing that. On the other hand, if you’re already using Gmail, Google Drive, and Google Calendar to organize your life, that’s already a heck of a lot of eggs in one data-collecting basket. Through Fitbit Care, Google might partner with your employer or insurance provider, in which case they will get some personal information about you to invite you to the service. The Fitbit Care FAQ doesn’t say what information might be shared back with your employer or insurance company, but I would definitely ask about that before making the relationship between my employer and my fitness data official. I’d hate to have to confront my step count during a performance review.
Now for the million dollar question. Will Google use your private health data to sell you stuff or combine it with the loads of other information they probably have about you? Google says: “Your Fitbit health and wellness data won’t be used for Google Ads, and it will continue to be kept separate from Google Ads data.” (Cue the world’s tiniest party popper -- weeeee.) That’s also what they promised when they bought Fitbit, not that that keeps the privacy-conscious among us from worrying about how exactly this information will be used by one of the world’s largest data companies. As privacy advocacy group NOYB pointed out, Google’s Fitbit is already seemingly skirting Europe’s data privacy law, GDPR, by forcing users to consent to having their data transferred outside the EU if they want to use the app at all.
So can you trust Google with your data? We've always struggled a bit with Google here at *Privacy Not Included. There is no doubt Google is bad for the world's privacy. They kinda set the standard for collecting huge amounts of data on us and using that to target ads. The end result of Google's years and years of data collection and targeted advertising is a huge billion dollar company with tons and tons of power around the world. And now we're all perhaps way too conditioned to having our data being scooped up to target us with ads based on our location, our interests, and inferences that can be drawn about us from all these thousands of data points. This is all really bad for privacy.
That being said. Google has always managed to avoid our *Privacy Not Included warning label because they do some good things too -- like give everyone the ability to delete their data, they do a pretty good job and keeping all the data the hoover up on us secure, and hey, we know they don't really sell that data because, why would they? They want that data for themselves to make lots of money.
This is the year that we've finally decided Google has gotten bad enough we can justify dinging them with our *Privacy Not Included warning label (yes, we don't disagree we should have done it sooner, but we do have a methodology full of criteria we work from and they always walked the line of being bad but not exactly crossing enough of our lines to ding them). Here's why we decided to ding them this year.
First, we already know Google collects a TON of personal information on us, through location tracking, searches, cookies and app tracking technologies, and more. And while Google says they don't sell that information, they do provide access to that information to many, many third parties for advertising purposes. Google goes even farther these days and says that they allow ""specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies."" That means you're not just being tracked by Google when you use devices but also by these mysterious ""specific partners"" in ways that you might not be aware of or been given the opportunity to consent to. This is bad.
The second big concern we have about Google is their track record at being honest and respecting all this personal information they collect on us. Google has racked up quite a long list of fines for privacy violations. In 2023, they settled a lawsuit with the state of California for $93 million for continuing to collect and store location data even after users turned off location tracking, according to the lawsuit. In 2022, they settled a similar lawsuit for continuing to track users' locations after they opted with 40 states for $392 million. Also in 2023, a $5 billion lawsuit was allowed to continue against Google for secretly tracking users internet use when the judge ruled "she could not find that users consented to letting Google collect information about what they viewed online because the Alphabet (GOOGL.O) unit never explicitly told them it would." And in December of 2022, the French data protection authority fined Google $57 million for ""failing to acknowledge how its users' data is processed."" Those are just the fines and lawsuits that have happened since we last reviewed Google in 2022. Over the past few years, there have been even more. South Korea fined Google (and Meta) millions of dollars recently for privacy violations. So did France and Spain. And in the US, Google has faced a host of lawsuits and settlements from Texas, California, Illinois, Arizona, the Federal Trade Commission, and more. All this makes it pretty hard to trust what a company says they do with that massive amount of personal information they collect on you.
One thing about Google we do like: They have a decent way to communicate with users about how they collect and use data in their Safety Center. Google does collect a ton of data on you and your children, especially if you don't take the time to adjust your privacy settings to lock down just how much info they can gather. You should absolutely take the time to adjust these privacy settings. Just beware, you will get notifications that some things might not work right if you change settings. That’s annoying, and probably worth it for a little more privacy.
What’s the worst that could happen? Well, when you give away a lot of personal information, especially sensitive information like your live location and you combine that with health information like your heart rate, mood, or menstrual cycle, that has to come with a lot of trust. And our trust in Google -- who owns Fitbit -- is wavering.
Tips to protect yourself
- Follow Fitbit's advice to keep your stats private
- Stop sharing friends' lists: Under “Friends” on your profile page, select Privacy Setting and then Private.
- Do not sign up with third-party accounts. Better just log in with email and strong password.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible.
What can be used to sign up?
A Google Account is required for all new users. A Google Account is required to activate new Fitbit devices released after the launch of Google Accounts for Fitbit. Existing users have the option to use either a Google Account or their existing Fitbit account until at least 2025 at which point they will be required to use a Google Account for login.
What data does the company collect?
Name, email address, or billing information, or other data that can be reasonably linked to such information by Google, such as information we associate with your Google Account; Precise geolocation data, including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs If you choose: profile photo, biography, country information, and community username; Data on your activity, such as terms you search for, videos you watch, views and interactions with content and ads, voice and audio information, purchase activity, people with whom you communicate or share content, activity on third-party sites and apps that use our services, Chrome browsing history you’ve synced with your Google Account; Your address, ZIP code, and where the device is placed; Sensor data such as detected motion, ambient light measurements, temperature, humidity, carbon monoxide, and smoke levels as well as information derived from this data, such as sleep information; (If you use calls) Phone number, calling-party number, receiving-party number, forwarding numbers, sender and recipient email address, time and date of calls and messages, duration of calls, routing information, and types and volumes of calls and messages; GPS location and other sensor data from your device
Height, weight; If you choose: logs for food, weight, sleep, water, or female health tracking Voice (if you use Google Assistant).
If you choose: friends' email addresses.
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In September 2023, the US Department of Justice launched a trial against Google arguing "that Google abused its power as a monopoly to dominate the search engine business." Full disclosure, Mozilla testified in this trial.
In September 2023, Google was set to pay $93M in settlement over deceptive location tracking.
In August 2023, a US District Court judge allowed a $5 Billion lawsuit to continue against Google for alleged privacy violations of users for secretly tracking them without their consent.
In January 2023, Google confirmed data breach in its cell network provider Google Fi. The breach is linked to the recent T-Mobile hack. Google announced the breach immediately. Google says the hackers accessed limited customer information, including phone numbers, account status, SIM card serial numbers and information related to details about customers’ mobile service plans, such as whether they have selected unlimited SMS or international roaming.
In December 2022, Google was fined by EU watchdog over GDPR violations.
In September 2022, Google lost anti-trust ruling of EU which put a fine of over $4.34B on Google because of its Android monopoly.
Google received plenty of fines from European, American, and Korean authorities in the last few years. The biggest was the $170M fine from New York Attorney General for mishandling the children consent. The other cases include the fine of $100M for violating the Biometric Information Privacy Act in Illinois, $71.8M fine for mishandling consent in South Korea, $57M fine for violating GDPR in France, as well as other fines from local Data Protection Authorities in Ireland, Italy, and Spain.
In August 2019, the company admitted that partners who work to analyze voice snippets from the Assistant leaked the voice snippets of some Dutch users. More than 1,000 private conversations were sent to a Belgian news outlet, some of the messages reportedly revealed sensitive information such as medical conditions and customer addresses.
Nest Security Bulletin contains details of security vulnerabilities that previously affected Google Nest's devices.
In August 2023, Fitbit faced three data transfer complaints in the EU, that allege the company is illegally exporting user data in breach of the bloc’s data protection rules: "European privacy rights not-for-profit, noyb, has filed the complaints with data protection authorities in Austria, the Netherlands and Italy on behalf of three (unnamed) Fitbit users. Commenting in a statement, Maartje de Graaf, data protection lawyer at noyb, said: “First, you buy a Fitbit watch for at least €100. Then you sign up for a paid subscription, only to find that you are forced to ‘freely’ agree to the sharing of your data with recipients around the world. Five years into the GDPR, Fitbit is still trying to enforce a ‘take it or leave it’ approach.”
In 2021 Fitbit's security measures did not prevent the major data leak of 61 million fitness tracker data records, including Fitbit user data, by the third-party company GetHealth. In September 2021, a group of security researchers discovered GetHealth had an unsecured database containing over 61 million records related to wearable technology and fitness services. GetHealth accessed health data belonging to wearable device users around the world and leaked it in an non-password protected, unencrypted database. The list contained names, birthdates, weight, height, gender, and geographical location, as well as other medical data, such as blood pressure.
In 2020, it was reported the emails and passwords of nearly 2 million Fitbit users were leaked online.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Users must comb through privacy policies for both Fitbit and Google to make sure they've covered all their bases when it comes to privacy documentation for Fitbit products. It is complicated and cumbersome and confusing.
Links to privacy information
Does this product meet our Minimum Security Standards?
Google publishes academic papers about its AI research (https://ai.google/) and makes several tools available via open source. https://ai.google/tools
FitBit Coach and FitBit Care services are said to be based on Machine Learning.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Your Fitbit is useless – unless you consent to unlawful data sharingnoyb
Fitbit targeted with trio of data transfer complaints in EuropeTechCrunch
Google Stops Selling Fitbits in Regions Where it Doesn't Sell PixelsGizmodo
Fitbit Setup RequirementsFitbit
Fitbit users will be forced to migrate to Google accounts by 2025The Verge
Fitbit Increases Security Requirements, Mandates Google Login From 2023Infosecurity
Google’s New Plan to Make Fitbit Data More Useful for HealthcareHealth Tech Insider
2 Million Fitbit Accounts Were Exposed by CybercriminalsHackerNoon
Standard Privacy Report for FitbitCommon Sense
Google Now Owns Fitbit: What It Means For Your Fitness Data PrivacyForbes
61M Fitbit, Apple Users Had Data Exposed in Wearable Device Data BreachHealth IT Security
Google closes $2.1B acquisition of Fitbit as Justice Department probe continuesFierce Healthcare
Here's what your Fitbit knows about youAvast
Fitbit Joins GoogleFitbit
Got a comment? Let us hear it.