Google Pixel Watch
Wearables Fitness Trackers

Google Pixel Watch

Google
Wi-Fi Bluetooth

Review date: Nov. 9, 2022

|
Mozilla researched 10 hours
|

Mozilla says

|
People voted: Very creepy

Remember a couple years ago when the announcement came down that Google was buying Fitbit and there were a ton of concerns for the privacy of Fitbit users? So the EU stepped in and said they would only approve the deal if Google made some promises about how they would handle all that health data these smart watches can track, like a 10-year ban on using health data for ad targeting for folks in the EU. Fast forward to now, and Google is finally launching their own branded smartwatch they say delivers "the best of Google and Fitbit" together. Meet the Google Pixel Watch, an Apple Watch competitor with all the features of a smart watch like Google Wallet, Google Maps, Google Assistant, phone, texts, calendars, and more. And all the fitness tracking features of a Fitbit like steps, heart rate, sleep tracking, fall detection, and more. Sounds like a good thing...if you're not an iPhone user, as there is no iPhone support. Android users only. As for privacy, well, Apple is probably better than Google and Fitbit at that.

What could happen if something goes wrong?

Google and Fitbit got married in 2021. A year later, they’ve now birthed the Google Pixel Watch, a smartwatch they say comes with “Help by Google. Health by Fitbit.” What’s that mean for privacy? Well, first off, good luck figuring out which privacy policy applies to the new Google Pixel Watch. Is it Google’s privacy policies? Fitbit's? Turns out, it’s both. Yup, welcome to your new privacy nightmare.

The Google Pixel Watch actually needs two apps to do everything. There’s the Google Pixel Watch app that lets users set up and manage the watch on your Android device (sorry iOS users, no support for you). That app links to this privacy policy for Google which takes a good long while to read (pro tip: click on the download pdf version to make it a bit easier to sort through). Then you can download and set up the Fitbit app on your device and use it to collect all that health data like activity, stress, sleep patterns, menstrual cycle tracking, and more. That app uses the Fitbit privacy policy. Oh, and what privacy policy applies to the device itself you ask? Well, according to Google’s customer service rep, the Google privacy policy applies to the device. Got it?

Good luck finding any of that information in the Fitbit or Google product pages where they sell the device though. You won’t. See, we just saved you so much time. However, it’ll take you hours to sort through the Google and Fitbit privacy policies to try and understand what data this smartwatch collects, how it is shared (good news though, neither Google or Fitbit say they sell data, so at least there’s that), who has access to it, and how you can delete it if you want. One thing to keep in mind (and a reason this is probably so clunky on Google’s part right now), as part of Google's deal to buy Fitbit, they promised privacy regulators they wouldn’t collect Fitbit health data for at least 10 years. So, that’s probably the reason for the two separate apps.

Fortunately, you have us. Here’s what we learned looking through all the privacy policies. (Also, sorry for the long review here, we are dealing with lots of privacy policies here though).

First, Fitbit. As of January 14, 2021, Google officially became the owner of Fitbit. That worried many privacy conscious users. However, Google promised that “Fitbit users’ health and wellness data won't be used for Google ads and this data will be kept separate from other Google ad data ” for at least 10 years as part of the deal with global regulators. However, Fitbit and Google announced in 2022 that a Google account will be required for some uses of Fitbit starting in 2023. And in 2025, Google accounts will likely be required to use a Fitbit, indicating Google has plans to bring Fitbit users into the Google ecosystem as much as they can.

What’s this mean? Well, Fitbit can collect a good amount of data, as most fitness trackers do. They say they collect things such as name, email address, phone number, birthdate, gender, height, weight, location, wi-fi access points, and of course all the body related data like steps, activity, sleep, stress, calories burned, and more. Fitbit also says they can collect data from third parties social media sites like Facebook and Google if you choose to connect them (please, don’t) and from employers and insurance companies if you choose to share to receive wellness benefits or discounted or free services (again, not a good idea).

How does Fitbit use all this personal information it collects? Well, the good news is their privacy policy says they never sell your data. They also say they can share your personal information with advertising partners for targeted, interest-based advertising across the internet, which isn’t good news. And they say they can use that information to make inferences about you to show you more relevant content -- like using your sleep data to show you content to help you sleep better, which I’m pretty sure wouldn’t actually help me sleep better. So yeah, your Fitbit data is being used to show you ads and keep you using the platform as much as possible. Not surprising, but not great either.

Fitbit also says it can share non-personal information that has been de-identified or aggregated. This is pretty common, but still, can be a bit of a concern as it’s been found to be pretty easy to de-anonymize these data sets and track down an individual’s patterns, especially with location data. So, be aware with Fitbit--or any fitness tracker--you are strapping on a device that tracks your location, heart rate, sleep patterns, and more. That's a lot of personal information gathered in one place.

What’s the worst that could happen with Fitbit and all the personal and health related data it collects? Well, in 2021 it was reported that health data for over 61 million fitness tracker users, including both Fitbit and Apple, was exposed when a third-party company that allowed users to sync their health data from their fitness trackers did not secure the data properly. Personal information such as names, birthdates, weight, height, gender, and geographical location for Fitbit and other fitness-tracker users was left exposed because the company didn't password protect or encrypt their database. This is a great reminder that yes, while Fitbit might do a good job with their own security, anytime you sync or share that data with anyone else including third party apps, your employer, or a insurance company, it could be vulnerable.I don’t know about you, but I don’t need the world to know my weight, how well I sleep, and where I live. That’s really dang creepy.

Now for Google. “OK, Google.” That’s pretty much exactly how we think Google does when it comes to privacy. They are OK, if you consider the fact that they are a ginormous data collecting advertising company that makes billions of dollars off your personal information. This is the world we live in now, though, and there are other Big Tech companies doing a worse job than Google at protecting and respecting your privacy (looking at you Meta/Facebook). It’s really unfortunate just how low the bar has gotten when it comes to privacy these days.

That said, you should be aware Google is a huge ad company that needs lots and lots of your data to sell ads. What sorts of data does Google collect on you? Well, there are those voice recordings when you go, “Hey Google, what are the symptoms of the latest coronavirus variant?” And while Google promises that your voice recordings won’t be used to send you personalized ads, they do say the transcripts of your voice interactions with your Google smart speaker may. Google also collects things like your location, information about things near your devices like wi-fi access points and bluetooth enabled devices, people you communicate with, purchase activity, voice and audio information, your favorite songs on Spotify, what things you search for, what things you ask Google, when you turn your lights on if you have smart lights, when you use it to run your robot vacuum, and so much more.

Of course, Google uses your personal information to sell those targeted, personalized ads you see all over the place like in your Gmail, in your favorite Solitaire app, on partner websites, and on YouTube. Yup, the ads are everywhere. Google does say they won’t use things like your sexual orientation, race, and health, to show you ads…although we just have to trust them on that. I’m sure we’ve all seen ads based on sensitive things about us that felt pretty creepy. And Google says they won’t use content from your Google Drive, Email, or Photos to personalize ads. We sure hope not.

We do like that people who use Google’s AI voice assistant are now automatically opted out of Google's human review of voice recordings, because that was super creepy. We also like that Google does try to communicate with users how they collect and use data in their Safety Center. Google does collect a ton of data on you, especially if you don't take the time to adjust your privacy settings to lock down just how much info they can gather. You should absolutely take the time to adjust these privacy settings. Just beware, you might get notifications that some things might not work right if you change settings. That’s annoying, and probably worth it for a little more privacy.

As for Google’s track record at protecting and respecting your privacy, well, it’s a mixed bag. Google does pretty good at the security side of protecting all that heaps of data they collect on your. It is their money making business asset, after all. Unfortunately, Google also has a spotty track record at respecting privacy, as seen in the multitude of fines and lawsuits that have been thrown at them all around the world for violating privacy laws and protections. South Korea fined Google (and Meta) millions of dollars recently for privacy violations. So did France and Spain. And in the US, Google has faced a host of lawsuits and settlements from Texas, California, DC,Illinois, Arizona, the Federal Trade Commission, and more. All this makes it pretty hard to trust what a company says they do with that massive amount of personal information they collect on you.

What’s the worst that could happen? Well, If you don't take the time to lock down all your privacy settings, it's possible Google can get to know you really well, maybe too well. Maybe they recognize you from all the times you ordered plain cheese pizza. They know you are single because who orders plain cheese pizza? Just kidding, they know you're single because of all those pedicure appointments you've booked for one. Maybe it's OK Google knows you so well? Maybe it's creepy. (OK, we think it’s pretty creepy). What’s even creepier these days is the possibility that your Google searches and location information and more could potentially be used to harass, arrest, and even prosecute people in the United States seeking reproductive health care. That’s not just creepy, that’s downright harmful.

One last thing. Hey Google and Fitbit. Please sort this out and make it easier for your users to understand the privacy policy ecosystem of this smartwatch and the apps it uses. Or, at the very least, make it clearer on the Google Pixel Watch website that users are going to need to use two apps to control this device and that comes with multiple privacy policies and settings and concerns.

Tips to protect yourself

  • Visit privacy controls to adjust the amount of data collected
  • Turn off personalised advertisement
  • Visit privacy & security controls to adjust the amount of data collected
  • Delete your historical data from time to time
  • When starting a sign-up, do not agree to tracking of your data
  • Do not sign up with third-party accounts. Better just log in with email and strong password.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
  • Keep your app regularly updated
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data."
  • mobile

Can it snoop on me? information

Camera

Device: No

App: Yes

Microphone

Device: Yes

App: Yes

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

You will need both Google Accound and Fitbit account to set up your Google Pixel Watch.

What data does the company collect?

How does the company use this data?

Both Google and FitBit privacy policies apply

Google does not share data with third parties for their own advertisement purposes. Google does not sell personal data.

Google shares data with its affiliates and business partners: "We provide personal information to our affiliates and other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures. For example, we use service providers to help operate our data centers, deliver our products and services, improve our internal business processes, and offer additional support to customers and users. We also use service providers to help review YouTube video content for public safety and analyze and listen to samples of saved user audio to help improve Google’s audio recognition technologies."

At the same time, Google uses collected data on its own services. "We use the information we collect to customize our services for you, including providing recommendations, personalized content, and customized search results."

Google may collect data on you from public and third-party sources. "In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s Search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, such as directory services who provide us with business information to be displayed on Google’s services, marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertising partners to provide advertising and research services on their behalf."

Google also uses personal data for personalised advertisement, if a user allows: "Depending on your settings, we may also show you personalized ads based on your interests. For example, if you search for “mountain bikes,” you may see an ad for sports equipment when you’re browsing a site that shows ads served by Google. You can control what information we use to show you ads by visiting your ad settings."

Google uses location for advertisement. It gets location from various sources: "Google’s ad products may receive or infer information about your location from a variety of sources. For example, we may use the IP address to identify your general location; we may receive precise location from your mobile device; we may infer your location from your search queries; and websites or apps that you use may send information about your location to us. Google uses location information in our ads products to infer demographic information, to improve the relevance of the ads you see, to measure ad performance and to report aggregate statistics to advertisers."

Google may combine information about you from their other services or devices. "We may combine the information we collect among our services and across your devices for the purposes described above. For example, if you watch videos of guitar players on YouTube, you might see an ad for guitar lessons on a site that uses our ad products."

Fitbit says they can share your data with third-parties for targeted, interest-based advertising.

Fitbit says that they transfer information to their corporate affiliates, service providers, and other partners who "process it for us, based on our instructions, and in compliance with this policy and any other appropriate confidentiality and security measures." You may also give consent for Fitbit to share your information in other ways, for example, when you give a third party access to your account, or give your employer or insurance company access to information when you choose to participate in a wellness program. Remember when you do that, their use of your information will be governed by their privacy policies and terms.

Fitbit says that their policy is to notify you of legal process seeking access to your information, such as search warrants, court orders, or subpoenas, unless we are prohibited by law from doing so. Exceptions to their notice policy include exigent or counterproductive circumstances, for example, when there is an emergency involving a danger of death or serious physical injury to a person.

How can you control your data?

Everyone can get their data deleted by deleting their account and waiting for 90 days,

"We keep your account information, like your name, email address, and password, for as long as your account is in existence because we need it to operate your account. In some cases, when you give us information for a feature of the Services, we delete the data after it is no longer needed for the feature. For instance, when you provide your contact list for finding friends on the Services, we delete the list after it is used for adding contacts as friends. We keep other information, like your exercise or activity data, until you use your account settings or tools to delete the data or your account because we use this data to provide you with your personal statistics and other aspects of the Services. We also keep information about you and your use of the Services for as long as necessary for our legitimate business interests, for legal reasons, and to prevent harm, including as described in the How We Use Information and How Information Is Shared sections."

"Editing and Deleting Data. By logging into your account and using your account settings, you can change and delete your personal information. For instance, you can edit or delete the profile data you provide and delete your account if you wish. Learn more here. If you choose to delete your account, please note that while most of your information will be deleted within 30 days, it may take up to 90 days to delete all of your information, like the data recorded by your Fitbit device and other data stored in our backup systems. This is due to the size and complexity of the systems we use to store data. We may also preserve data for legal reasons or to prevent harm, including as described in the How Information Is Shared section."

What is the company’s known track record of protecting users’ data?

Needs Improvement

In 2021 Fitbit's security measures did not prevent the major data leak of 61 million fitness tracker data records, including Fitbit user data, by the third-party company GetHealth. In September 2021, a group of security researchers discovered GetHealth had an unsecured database containing over 61 million records related to wearable technology and fitness services. GetHealth accessed health data belonging to wearable device users around the world and leaked it in an non-password protected, unencrypted database. The list contained names, birthdates, weight, height, gender, and geographical location, as well as other medical data, such as blood pressure.

In 2020, it was reported the emails and passwords of nearly 2 million Fitbit users was leaked online.

Google received plenty of fines from European, American, and Korean authorities in the last few years. The biggest was the $170M fine from New York Attorney General for mishandling the children consent. The other cases include the fine of $100M for violating the Biometric Information Privacy Act in Illinois, $71.8M fine for mishandling consent in South Korea, $57M fine for violating GDPR in France, as well as other fines from local Data Protection Authorities in Ireland, Italy, Spain.

In 2022 Google agreed to a nearly $392 million dollar legal settlement with 40 US states "for charges that it misled users into thinking they had turned off location tracking in their account settings even as the company continued collecting that information".

In August 2019, the company admitted that partners who work to analyze voice snippets from the Assistant leaked the voice snippets of some Dutch users. More than 1,000 private conversations were sent to a Belgian news outlet, some of the messages reportedly revealed sensitive information such as medical conditions and customer addresses.

In December 2018, a bug exposed exposed the data of 52.5 million Google+ users.

Nest Security Bulletin contains details of security vulnerabilities that previously affected Google Nest's devices.

Child Privacy Information

"We appreciate the importance of taking additional measures to protect children’s privacy.

Fitbit allows parents to set up accounts for their children to use with select Fitbit devices (“Children’s Account”). Children’s Accounts are subject to a separate Privacy Policy for Children’s Accounts which explains what information we collect to set up these accounts, what information we collect from a child’s use of our Services, and how we use and share that information. Parents or guardians must consent to the use of their child’s data in accordance with the Privacy Policy for Children’s Accounts in order to create such an account.

Persons under the age of 13, or any higher minimum age in the jurisdiction where that person resides, are not permitted to create accounts unless their parent has consented in accordance with applicable law. If we learn that we have collected the personal information of a child under the relevant minimum age without parental consent, we will take steps to delete the information as soon as possible. Parents who believe that their child has submitted personal information to us and would like to have it deleted may contact us at [email protected]."

Can this product be used offline?

Yes

User-friendly privacy information?

No

Two policies cover one product

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Strong password

Yes

To create a Fitbit account, users are required to provide strong, complex, passwords during onboarding.

Security updates

Yes

Manages vulnerabilities

Yes

Privacy policy

Yes

Does the product use AI? information

Can’t Determine

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*Privacy Not Included

Dive Deeper

  • It's About Damn Time: Google Pixel Watch Makes its Debut
    Gizmodo Link opens in a new tab
  • Google Pixel Watch review
    Tom's Guide Link opens in a new tab
  • Google Agrees to $392 Million Privacy Settlement With 40 States
    The New York Times Link opens in a new tab
  • Pixel Watch Hands-On: Fitbit's Wear OS Debut Highlights Google's First Smartwatch
    CNET Link opens in a new tab
  • Google’s Long-Awaited Pixel Watch Is Finally Here
    Wired Link opens in a new tab
  • Let’s take a closer look at Google’s Pixel Watch
    TechCrunch Link opens in a new tab
  • Europe clears Google-Fitbit with a ten-year ban on using health data for ads
    TechCrunch Link opens in a new tab

Comments

Got a comment? Let us hear it.