By Michael DeMarco on Monday, 20 May 2019
Category: BSSG Blog

Who Should Regulate Wearables?

Wearable technology, or “wearables”, have been around for decades, technically first becoming popular with Pulsar’s Calculator Wristwatch in the 1970s. Since then, our wearables have become much more capable, accumulating detailed profiles on us as we use them. This begs the question… who is in charge of regulating them?

Wearable Technology Has Been a Successful Mixed Bag

Crunching the numbers, it is clear that wearables as a whole are a successful and appreciated technology by consumers. The number of connected devices around the world, which had reached the not-inconsequential amount of 526 million in 2016, is anticipated to exceed 1.1 billion in 2022. 167 million units of smartwatches and their wristbands are also projected to be shipped that same year.

Clearly, wearable technology has been a commercial success, so there is no reason to anticipate that manufacturers will slow down on their research and development anytime soon. However, it must also be said that wearables have created a few concerns that hadn’t needed to be addressed in the past - especially when it comes to security.

The Dangers of Data

It has been clearly demonstrated that wearables can also create considerable security concerns - in more ways than one might initially think. One only has to look back to the beginning of last year, when the heat mapping feature of the Strava fitness application revealed the classified locations of military bases, thanks to the activity trackers the soldiers would wear during their workouts. Wearables are also notorious for being updated very infrequently (if ever), which makes them perfect devices to be taken over and used as part of a botnet, or as an easy access point into the rest of an otherwise protected network.

One also has to consider what is being done with the data that these devices collect, and how that data could potentially be used to the possible disadvantage of the consumer.

The Regulations that Have Been Put in Place (and Which Matter)

Naturally, such a potentially explosive technology ought to be subject to some regulations. However, the governing bodies and organizations typically responsible for imposing these regulations may not be in a position to do so.

The FD&C Act

The Federal Food, Drug, and Cosmetic Act likely has no power to regulate wearables, as the Food and Drug Administration doesn’t include wearables in its classifications of medical devices, instead describing them as a “low-risk general wellness product.” Basically, the manufacturer’s intended use of a device is what designates it as a medical device or not, which means that (unless wearable manufacturers make the call) these consumer-focused devices won’t need to meet the FD&C Act’s standards.

HIPAA

The Health Insurance Portability and Accountability Act is intended to secure an individual’s rights to their health information. However, while it does provide some protections, HIPAA’s scope doesn’t really cover wearables, which are considered non-covered entities. Furthermore, wearable manufacturers are probably untouched by the secondary use of health data, which is the use of personal health information beyond the direct delivery of healthcare. Because all data is produced by a consumer, and not by a covered entity, secondary use of health data doesn’t apply.

The FTC Act

This act allows the Federal Trade Commission to go after companies that are carrying out deceptive practices, including a failure to comply with their own privacy policy. As it covers entities both covered and not covered by HIPAA, the FTC Act serves as the primary federal statute that dictates how non-covered entities handle their health information-related security practices. The FTC itself is also capable of bringing legal action against those organizations who play fast and loose with consumers’ information, whether they have violated privacy rights or failed to maintain sufficient security.

Where wearables are concerned, the FTC has already spoken up. In 2017, the FTC reported that very few companies discussed their cross-device tracking practices in their privacy policies. Cross-device tracking allows multiple devices to be associated with a single user by linking that user’s activities across these devices. This example shows how the FTC Act is currently one of the more effective means of keeping wearable companies accountable.

What do you think about wearables? Are they something you see as needing to be regulated? Share your thoughts in the comments!

Leave Comments