Teal blue header image

Your heart on your sleeve: The data protection implications of wearable tech

Emma Fox provides practical tips on how wearable providers can stay within DP law in Privacy Laws and Business

Not too long ago, the idea of wearing a computer that tracks your every movement and sends data about you to other devices and applications would have been seen as futuristic and inaccessible. Nowadays, smart watches and fitness trackers are abundant and it seems that wearable technology is becoming increasingly commonplace.                                                     

Wearable tech is an area of immense potential and can carry significant benefits for users. Fitness trackers can help users to live a healthier lifestyle by tracking their activity, health and weight. But wearables can go much further than this; take, for example, UK company MediWiSe, which has developed a device that can be worn on the ear to continuously monitor blood glucose levels for diabetics. Open Bionics, a Bristol-based company, is creating 3D-printed prosthetic hands which operate via sensors on the skin to pick up muscle movements. There are an increasing number of UK start-ups seeking to take advantage of the ease and benefits brought about by wearable tech.

However, these benefits inevitably involve the collection and use of a huge volume of personal data about users, often including sensitive data. The UK Information Commissioner’s Office (ICO), in conjunction with several other privacy regulators worldwide, has recently highlighted shortcomings in data protection compliance across Internet of Things (IoT) devices, which wearable device providers will need to steer clear of (wearables being, after all, a subset of the IoT). The study, coordinated by the Global Privacy Enforcement Network (GPEN),1 demonstrates that whilst wearable devices can make life easier and more enjoyable, providers and other stakeholders must be careful not to let their data protection obligations fall by the wayside. In the UK,2 this means ensuring that the processing of personal data complies with the Data Protection Act 1998 (DP Act) and, from 25 May 2018, the EU General Data Protection 2016/679 Regulation (GDPR).


The DP Act and the GDPR require organisations to be transparent with individuals about how their personal data is being used. This means that comprehensive, accessible privacy notices must be provided at the point of data collection. The GDPR in particular requires data controllers to provide extensive information to users about the protection of their personal data, but in a “concise, transparent, intelligible and easily accessible form”. The GPEN study found that a large proportion of the IoT devices surveyed (overall around 60%) failed to communicate adequate data processing information to their users.

Transparency presents a practical challenge in the context of wearables: user interfaces are generally small or non-existent, and nowadays it may not be reasonable to expect users to read full privacy notices provided in physical or online user manuals. To ensure compliance, wearable providers should:

  • Consider the use of standardised icons, as referred to in the GDPR and endorsed in the ICO’s Privacy Notices Code of Practice, to inform users what is happening to their data;
  • Think about using “sticky policies”, which are machine-readable policies attached to particular data to define the use of that data;
  • Take a layered approach to privacy notices, so that key information is provided at the point of collection of data, with a link to a more detailed privacy policy; and
  • Review any existing privacy notices and ensure these are updated to comply with the stricter GDPR requirements.


Many of the benefits of wearable devices involve the collection of sensitive personal data, most commonly health information. It is likely that explicit consent will be needed to process that data, but wearable providers will also need to consider whether consent will be required to process other, non-sensitive, personal data. Wearable providers must rely on a lawful processing condition to justify the collection and use of all personal data and sensitive personal data. Whilst consent is not necessarily required, the Article 29 Working Party’s (WP29) Opinion on the IoT certainly suggests that other relevant conditions, such as contractual necessity and legitimate interests, may be difficult to fulfil given the privacy implications of IoT devices and the nature of the data collected and processed.

If consent is required, that consent will need to be valid. This means that consent must be “freely-given, specific and informed” under the DP Act, with the additional requirement that it is “unambiguous” under the GDPR. For sensitive personal data, consent must be “explicit”. Consent is unlikely to be valid if it is a condition of using the device, and implying consent simply through using the device will not be sufficient. This presents practical challenges for wearable providers, where the inherent objective of a wearable device requires personal data to be collected; in effect, if users want the benefit of the device, they have to agree to some personal data being used. Wearable providers will also need to bear in mind that consent can be withdrawn at any time, and the GDPR puts a positive obligation on data controllers to tell users that they can do this.

Wearable providers should therefore:

  • Review their data processing activities and consider whether consent is required to carry out those activities;
  • Where consent is required or relied upon, ensure that users are given very clear information about how their personal data will be used, and a genuine choice as to what personal data is collected and what is done with it;
  • Consider embedding an option to switch off a device’s connectivity and use it as a normal, unconnected device to allow users to choose whether personal data is collected and used or not;
  • Ensure that consent is not a condition of using any services other than the most basic functionality of the device; and
  • Implement procedures allowing users to withdraw their consent easily and ensure that personal data is not further processed if they do so.

Data minimisation

Another key principle of the DP Act and the GDPR is that personal data used must not be excessive in relation to the purposes for which it is collected. This means that organisations must only collect and use the minimum amount of personal data necessary to enable them to carry out the purposes for which personal data is intended to be used. Under the GDPR, providers will also be obliged to comply with the “data protection by default” principle.

This means that, by default, only the minimum amount of personal data must be collected and used. This means that wearables providers will need to:

  • Ensure that the completion and collection of personal data is not mandatory if the user is not interested in the functionality of the device that requires that information;
  • Give users a genuine choice as to information they provide beyond the minimum required for the device to function; and
  • Ensure devices’ settings are set up so as to collect the bare minimum of personal data required for the basic functioning of the device, with personal data required for additional functionalities input separately, with additional privacy notices provided and consents obtained.

Data sharing

Many of the concerns around the use of wearables stem from uncertainties around the third parties with which personal data may be shared. Wearable technology often involves a complex network of data controllers all sharing personal data with each other and third parties. For example, device providers may share information they collect with social media platforms, users’ insurance providers or doctors, or employers which provide employees with wearable devices to monitor workplace activity. It is important that users have knowledge of, and consent to, this sharing.

As such, wearable providers will need to:

  • Make sure that clear information is provided to users about the parties with which personal data will be shared, and that compliant consent is provided; and
  • Put in place written contracts with third parties with whom personal data is shared, including a clear allocation of responsibilities for processing activities. This will help to make sure that it is clear who is accountable for particular processing and associated breaches.

Data security

Security is also key in the wearables sphere. The GPEN study revealed concerns around medical reports being sent from wearable devices to GPs via unencrypted email. On a much wider level, the inherent interconnectivity of wearables and the IoT present heightened risks of systems being hacked and personal data being compromised. As wearable technology develops further, we may see specific security standards being introduced for the industry. But in the meantime, wearable providers will need to be conscious of their obligations to take appropriate technical and organisational security measures to protect data. Examples of steps wearable providers can take to comply include:

  • Making sure that the devices can be appropriately protected if they store personal data, for example by password protection or encryption;
  • Appropriately securing the software used to collect, store and process personal data; and
  • Ensuring security of transmissions of personal data, whether from the device to an app or a third party.

Data portability and data retention

Under the GDPR, the right to data portability (i.e. to extract a copy of personal data you have provided in a common, electronic format and to transfer it to another organisation) is a fundamental privacy right. Although the benefit of wearable devices usually comes from the interpreted data, rather than the raw data uploaded or generated, wearable providers will need to bear in mind that users will have a right to access that raw data. The right of data portability doesn’t just cover personal data that a user has physically input him or herself; personal data “provided” by an individual also includes data generated by his or her activity. This is likely to capture a great deal of the personal data collected by wearable devices. The WP29’s recent Opinion on data portability suggests that data controllers will need to offer individuals an option to download their personal data directly themselves, without having to make a specific request to the data controller.

Both the DP Act and the GDPR also prohibit personal data from being kept for longer than is necessary. Steps that wearable providers can take to comply with these obligations include:

  • Factoring the right of data portability into the design and specification of devices and associated software and making sure that users can download all personal data stored, including any raw data, and transfer this to another provider if they wish;
  • Ensuring they are securely deleting personal data when it is no longer needed, for example if an account is closed or inactive for a period of time;
  • Considering whether there is a need to keep the raw data collected once the relevant data has been extracted and analysed; and
  • Implementing written retention policies setting out when and how personal data should be deleted.

Privacy by design and by default

The concept of Privacy by Design and by default is recommended as current best practice and is codified in the GDPR. It means that privacy considerations must be taken into account at the outset of a project, and that by default, the minimum amount of personal data necessary must be collected and processed. Data protection impact assessments (DPIAs) form a key part of privacy by design. These are risk assessments that enable organisations to assess and mitigate the privacy risks of a particular project at an early stage. DPIAs will be mandatory under GDPR, and are currently strongly recommended as best practice.

Wearable providers should take the following steps to comply with these obligations:

  • Ensure that privacy forms a key part of project methodology;
  • Put in place robust DPIA procedures and ensure these are carried out as part of the development of new devices, new functions for existing devices, or wider wearables projects; and
  • Ensure that each device’s default settings involve the collection and use of the minimum amount of personal data necessary for the device’s basic functioning, and that any additional collection or use of personal data requires a further consent. For example, if a device is capable of calculating a user’s calorie burn using height and weight data, but this is not necessary for the day-to-day functioning of the device, this functionality should be switched off by default.


Following the GPEN study, the data protection authorities involved are considering action against IoT devices they consider to have breached data protection laws. This means we may see further developments in this arena in the not-too-distant future. In the meantime, device providers and other stakeholders in wearable technology networks should make sure they do not allow privacy to become an afterthought and that they are clear with users about how personal data is used, to avoid falling foul of the DP Act and the GDPR.

1 www.privacyenforcement.net/node/717

2 https://ico.org.uk/about-the-ico/newsand-events/news-andblogs/2016/09/privacy-regulatorsstudy-finds-internet-of-thingsshortfalls/

Originally published in Privacy Laws and Business in March 2017

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all