So, what are these companies doing with all this workout data they’re collecting? Who else can see or use it?
Well, apart from Kinomap, which specifically says it shares information with the International Olympic Committee, it’s hard to say for sure. (Kinomap didn’t respond to a question from CR about this.)
In most cases, your data could be shared with a very extensive group of companies. It includes fraud protection companies, IT and technical support providers, payment processors, analytics providers, advertisers, marketing and database management firms, law enforcement, government regulators, and more.
A few privacy policies outline specific reasons why certain outside companies might receive your data. Tempo, for example, partners with a company called Prism Labs, which calculates body composition based on head-to-toe 3D body scans.
In all cases, the privacy policies allow the companies to share your information with at least some other organizations. As the privacy policies of BowFlex and several other companies point out, in certain situations, this may be legally considered to be “selling” your data under the California Consumer Privacy Act or other state privacy laws.
Some, but not all, of these fitness companies also offer separate privacy policies specifically to cover consumer health information, a category of data defined by a handful of state privacy laws. Washington, Nevada, and Connecticut are a few of the states that have enacted such laws, which make it unlawful, for example, to sell consumer health data without first getting users’ consent. Definitions of consumer health data vary by state but may include any data that would allow a company to infer a person’s physical or mental health diagnoses.
These state-specific policies occasionally shed a bit more light on data protections the companies have in place. Tonal, which collects health information that can include pregnancy data, explicitly states that it neither sells nor shares consumer health data, beyond what you might grant permission for by integrating your Tonal information with Apple Health, for example.
Several companies say that the purpose of sharing your data with analytics and advertising providers may be to target you with ads. Language like this is a red flag, according to Justin Sherman, CEO of research and advisory firm Global Cyber Strategies. That’s because it potentially gives companies the right to share your data with data brokers.
Data brokers collect information on individuals from a wide range of sources and provide it for other companies’ use. In many cases, their customers use the information for targeted advertising, but health data generated by exercise services could also end up being shared with other clients, including insurance companies, similar to how information on driving behavior has been collected by car manufacturers, then ultimately shared with car insurers.
It’s not a stretch to imagine life, disability, or long-term care insurers making use of such data to help determine your coverage or premiums, Sherman says. “That is absolutely the kind of thing that’s in market demand.”
We reached out to all the companies whose services we evaluated and asked them about our findings, including why such widespread data collection is necessary to provide their services, how they comply with state-level privacy laws, and what protections they have in place to keep customers’ data from being shared with data brokers.
Most didn’t respond.
Peloton provided some additional context on how it treats data on customers who participate in pregnancy-oriented workouts. “While we do not collect medical or health information, certain privacy-related laws may classify some of our offerings—such as pregnancy-related workouts or accessibility features—as health-related information,” a company spokesperson told us. “Importantly, Peloton does not make any assumptions about a Member’s health or medical conditions based on their workout selections.” Peloton also told us it doesn’t sell its members’ information to data brokers, though the company’s privacy policy says it may use the data it collects for marketing.
A representative from Hydrow told us that they “fully adhere to all applicable data privacy regulations.”
We also asked Tonal about its practice of storing video of users. “We save only those recordings that a customer has decided to save. Saving the recordings allows Tonal to provide guidance to the member about their form and power self-serve tools that enhance users’ workout experience,” the company told us. “Members can review their videos to assess their form and refine their movements. If desired, they can delete their recordings at any time.”
