Let's face facts: When you get a new wearable device, whether it be a smartwatch or fitness tracker, you tear it out of the box and quickly tap "next," "next", and "Agree" to anything presented to you - including the terms of service and privacy policies.
2018 is a new world though, one where data breaches seem to be happening on the monthly. There was also Facebook's big Cambridge Analytica scandal, which opened a lot of eyes to how much data these companies have on us and how it can be abused for nefarious purposes.
Read this:Fit leaking' is a big privacy problem for companies
The year 2018 also brings us to the European Union's General Data Protection Regulation (GDPR), which took effect on 25 May. You no doubt noticed the countless emails and notifications yelling "We've changed our privacy policy!"
GDPR sets privacy rules built for our modern times. They aim to ensure that personal data is collected under strict conditions and those who collect it will need to protect it from exploitation and misuse. Companies also have to tell you how they collect and use your data in the simplest terms possible, which is why all those privacy policies are getting major rewrites.
GDPR applies to companies in the EU, but it also applies to any company that wants to offer goods and services in the EU. As companies are often pragmatic and want to avoid messiness, like having wildly different privacy policies for different parts of the world, it essentially means that many of GDPR's rules could trickle out to non-EU countries.
Below, you'll find a quick intro on who fairs best in this new world of privacy policy. You'll then find break downs of a select number of company terms and services and privacy policies - complete with highlights and links for your perusal.
Data privacy: The best option
It can be a real pain to go through every company's privacy policy. Luckily for you, we've done all the grunt work.
Apple and Fitbit come out on top for privacy, though for slightly different reasons. Apple's privacy policy is probably the easiest to read, though a lot of that has to do with its more blanket approach to privacy. For instance, the iPhone and Apple Watch largely have the same privacy policies, which you can access in your iPhone's settings app.
The Cupertino company also makes it incredibly easy to correct and erase your data with its privacy portal. You just have to sign into your Apple ID and go to town, though if you're not in the EU some of the ease of deleting your data is eroded, though Apple tells 9to5Mac it plans on adopting those features for the rest of the world, too.
While Fitbit does sell de-identified data (Apple only uses your location to serve you geographically relevant ads), it also has one of the more robust privacy policies out there. The company even went ahead and heavily retooled its policies for GDPR. It's far easier to delete your data now, too. Fitbit even has a separate privacy policy just for kids (thanks, Fitbit Ace), clearly outlining what parents can and can't do with their kids' data.
Essential reading: Fitness app privacy policies for GDPR
Coming up third is Samsung, which has a well-rounded privacy policy without any red flags. Well, okay, Samsung really wants you to know that it's not liable if its products are faulty, but in regards to data everything is great. Garmin follows that, though Garmin's privacy policy isn't the easiest to find on its website, and when you do find it it can be a chore to read through.
Garmin's process for deleting data could also be better, as you'll have to email one of two email addresses, depending on whether you live in the EU or not. Under Armour, which owns a number of important wearable apps like MapMyRun, follows. The company has seen a data breach resulting in 150 million people's accounts being compromised, so that's worth remembering here.
Under Armour's policy is very, very long and very, very difficult to read. It collects a whole mess of data, it details several default sharing options, and explains how you can opt out of location data used for ad tracking.
Google is up next, largely because it's been accused of violating GDPR rules on the first day. Privacy group noyb.eu points out that GDPR allows data collection and processing that's strictly necessary for service. Everything else, like data for ads, needs to have an opt-out option. This is a layered approach that allows users to opt out of ads while using the service. However, Google doesn't allow you to use its services unless you agree to its privacy policy, which forces users to either accept all Google's data policies or not use its services.
In last place comes Xiaomi. While there's nothing too egregious here, any complaints or lawsuits against the company will be routed through Chinese courts. Also, the company doesn't outline what would happen to your data if there was a merger or closure - only that it would let you know of the decisions that would be made. Not good enough at all.
Fitbit
"The accuracy of the data collected and presented through the Fitbit Service is not intended to match that of medical devices or scientific measurement devices."
"The Fitbit Service is not intended to diagnose, treat, cure, or prevent any disease. If you have a medical or heart condition, consult your doctor before using the Fitbit Service, engaging in an exercise program or changing your diet."
"Prolonged contact with wearable devices may contribute to skin irritation or allergies in some users. To reduce irritation, follow four simple wear and care tips: (1) Keep it clean; (2) keep it dry; (3) don't wear it too tight, and (4) give your wrist a rest by removing the band for an hour after extended wear. For more information visit www.fitbit.com/productcare. If you notice any skin irritation, soreness, tingling, numbness, burning, or stiffness in your hands or wrists while or after wearing the product, remove your device and please discontinue use. If any symptoms persist longer than 2-3 days after removing the device, consult your doctor."
"Fitbit products using PurePulse technology have a heart rate tracking feature that may pose risks to users with certain health conditions. Consult your doctor prior to use of such products if you (1) have a medical or heart condition, (2) are taking any photosensitive medicine, (3) have epilepsy or are sensitive to flashing lights, (4) have reduced circulation or bruise easily, or (5) have tendonitis, carpal tunnel syndrome, or other musculoskeletal disorders."
Fitbit Terms and Conditions (23 April 2018)
"We also use your information to make inferences and show you more relevant content. Here are some examples:
"We may share non-personal information that is aggregated or de-identified so that it cannot reasonably be used to identify an individual. We may disclose such information publicly and to third parties, for example, in public reports about exercise and activity, to partners under agreement with us, or as part of the community benchmarking information we provide to users of our subscription services."
"If we are involved in a merger, acquisition, or sale of assets, we will continue to take measures to protect the confidentiality of personal information and give affected users notice before transferring any personal information to a new entity."
"Some Fitbit devices support payments and transactions with third parties. If you activate this feature, you must provide certain information for identification and verification, such as your name, credit, debit or other card number, card expiration date, and CVV code. This information is encrypted and sent to your card network, which upon approval sends back to your device a token, which is a set of random digits for engaging in transactions without exposing your card number."
Fitbit Privacy Policy (23 April 2018)
"When you create an account for your child, we'll ask for personal information about them, like their name, date of birth, gender, height, and weight. You or your child may choose to share certain additional information with us."
"We use the information in the following ways: to provide, personalize, and improve our services, authenticate users' identities, to track activities and exercise, and to provide customer support. We also use the data we collect for internal purposes such as troubleshooting, protecting against errors, data analysis and testing, to develop new features and services, and to promote the safety and security of Fitbit.
We also use the information we collect to help children connect with other, guardian-approved Fitbit users which are displayed within the family account."
"If at any time you wish to stop further collection or use of your child's information, you can delete your child's account by either (1) contacting Customer Support, or (2) deleting your child from the family account and confirming your intent to delete the account in the email we send you."
"When your child turns 13 (or any higher minimum age required for the creation of a Fitbit account without parental consent in your country), he or she will be eligible to independently manage his or her account. If your child chooses to manage his or her Fitbit account, you will no longer have access to, or be able to exercise control over it through your Fitbit account."
Fitbit Privacy Policy for Children's Accounts (23 April 2018)
Apple Watch
"Using Apple Watch in some circumstances can distract you and may cause a dangerous situation (for example, avoid typing text messages while driving a car or using headphones while riding a bicycle). By using Apple Watch you agree that you are responsible for observing rules that prohibit or restrict the use of mobile phones or headphones (for example, the requirement to use hands-free options for making calls when driving). "
"Apple Watch, the heart rate sensor and its data and included Apple Watch apps are not medical devices and are intended for fitness purposes only. They are not designed or intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease."
"Before starting or modifying any exercise program using Apple Watch, consult your physician. Be careful and attentive while exercising. Stop exercising immediately if you feel pain, or feel faint, dizzy, exhausted, or short of breath. By exercising, you assume inherent risks including any injury that may result from such activity. If you have any medical condition that you believe could be affected by Apple Watch (for example, seizures, blackouts, eyestrain, or headaches), consult with your physician prior to using Apple Watch."
"Sharing or syncing photos through your Apple Watch may cause metadata, including photo location data, to be transmitted with the photos."
"Apple and its licensors reserve the right to change, suspend, remove, or disable access to any Services at any time without notice. In no event will Apple be liable for the removal of or disabling of access to any such Services. Apple may also impose limits on the use of or access to certain Services, in any case and without notice or liability."
"Neither Apple nor any of its content providers guarantees the availability, accuracy, completeness, reliability, or timeliness of stock information, location data or any other data displayed by any Services."
"Location data provided by any Services, including the Apple Maps service, is provided for basic navigational and/or planning purposes only and is not intended to be relied upon in situations where precise location information is needed or where erroneous, inaccurate, time-delayed or incomplete location data may lead to death, personal injury, property or environmental damage. You agree that, the results you receive from the Maps service may vary from actual road or terrain conditions due to factors that can affect the accuracy of the Maps data, such as, but not limited to, weather, road and traffic conditions, and geopolitical events. For your safety when using the navigation feature, always pay attention to posted road signs and current road conditions. Follow safe driving practices and traffic regulations, and note that walking directions may not include sidewalks or pedestrian paths."
"Apple may also impose limits on the use of or access to certain Services, in any case and without notice or liability."
"Nor is Apple responsible for the content, accuracy or unavailability of any payment cards, rewards cards, stored value cards, commerce activities, transactions or purchases while using Apple Pay functionality, nor is Apple in any way involved in the issuance of credit or assessing eligibility for credit, or the accrual or redemption of rewards under a merchant's rewards program."
Apple watchOS Terms and Conditions (not dated)"A small number of people will experience reactions to certain materials. This can be due to allergies, environmental factors, extended exposure to irritants like soap or sweat, and other causes. If you know you have allergies or other sensitivities, be aware that Apple Watch and some of its bands contain the following materials: Nickel, Methacrylates."Read this: Need to know - the Apple Watch skin irritation complaints
"Another potential cause of discomfort is wearing your Apple Watch too tightly or loosely. An overly tight band can cause skin irritation. A band that's too loose can cause rubbing. If you experience redness, swelling, itchiness, or any other irritation, you may want to consult your physician before you put Apple Watch back on."Wearing Apple Watch support page (22 September 2017)"You may be asked to provide your personal information anytime you are in contact with Apple or an Apple affiliated company. Apple and its affiliates may share this personal information with each other and use it consistent with this Privacy Policy."
"We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose."
"We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."
"We may collect information regarding customer activities on our website, iCloud services, our iTunes Store, App Store, Mac App Store, App Store for Apple TV and iBooks Stores and from our other products and services. This information is aggregated and used to help us provide more useful information to our customers and to understand which parts of our website, products, and services are of most interest. Aggregated data is considered non‑personal information for the purposes of this Privacy Policy."
"We may collect and store details of how you use our services, including search queries. This information may be used to improve the relevancy of results provided by our services. Except in limited instances to ensure quality of our services over the Internet, such information will not be associated with your IP address."
"Apple takes the security of your personal information very seriously. Apple online services such as the Apple Online Store and iTunes Store protect your personal information during transit using encryption such as Transport Layer Security (TLS). When your personal data is stored by Apple, we use computer systems with limited access housed in facilities using physical security measures. With the exception of iCloud Mail, iCloud data is stored in encrypted form including when we utilize third-party storage."
Apple Privacy Policy (22 May 2018)Xiaomi Mi Band
"The laws of the People's Republic of China will apply to any disputes arising out of or relating to these terms or the Services. All claims arising out of or relating to these terms or the Services will be litigated exclusively in the courts of the People's Republic of China, and you and Xiaomi consent to personal jurisdiction in those courts."
"Do not use our Services in a way that prevents you from obeying traffic safety laws."
"Other than as expressly set out in these terms or additional terms, neither Xiaomi nor its suppliers or distributors make any specific promises about the services. For example, we don't make any commitments about the content within the services, the specific functions of the services, or their reliability, availability, or ability to meet your needs. We provide the services "as is"."
Mi Terms and Conditions (not dated)
"We are committed to protecting the privacy, confidentiality and security of your personal information by complying with applicable laws, and we are equally committed to ensuring that all our employees and agents uphold these obligations."
"We may disclose your personal information on occasion to third parties (as described below) in order to provide the products or services that you have requested."
"If Xiaomi is involved in a merger, acquisition or asset sale of all or a portion of our assets, you will be notified via email and/or a prominent notice on our website, of any changes in ownership, uses of your personal information, and choices you may have regarding your personal information."
Mi Privacy Policy (25 April 2018)
Garmin
"We are not responsible for, and we do not endorse, the opinions, advice, or recommendations posted or sent by users in any Public Forum and we specifically disclaim any and all liability in connection therewith."
"Garmin makes no representations or warranties about the accuracy, reliability, completeness, or timeliness of the Content or about the results to be obtained from using the Garmin Sites and the Content. Any use of the Garmin Sites and the Content is at your own risk."
Garmin Connect Terms of Use ( not dated)
"Garmin processes your activity data, if you choose to upload it to Garmin, to enable you to analyze your activity data, see your location on your activity course and segment maps, see your heart rate related metrics such as stress score, track your fitness goals, and, if you wish, share your activity data with others. If you reside in the European Economic Area or in Switzerland, the legal ground for this processing is your explicit consent, which you can withdraw at any time within your Garmin account."
"If you choose to upload activity data (such as steps, distance, pace, activity time, calories burned, heart rate, sleep, etc.) from your Garmin device to your Garmin account and you choose to participate in Insights, then you will be presented with an Insights section in your Garmin account in which you will be provided with recommendations and motivational messages, information and links to articles that may be of interest to you based upon your activity data, and a comparison of your activity data with aggregated activity data of others in the Garmin Connect community. If you reside in the European Economic Area or in Switzerland, the legal ground for processing this data for this purpose is your explicit consent, which you can withdraw at any time within your Garmin account."
"If you choose to enable your Garmin account to access accounts you have with other app providers, such as your MyFitnessPal, Strava or TrainingPeaks account, we will obtain information about you from such account, such as the number of calories consumed in a particular day based on information from your MyFitnessPal account or courses and segments from your Strava account."
"If you reside in the European Union, you have the right under the General Data Protection Regulation to request from Garmin access to and rectification or erasure of your personal data, data portability, restriction of processing of your personal data, the right to object to processing of your personal data, and the right to lodge a complaint with a supervisory authority. If you reside outside of the European Union, you may have similar rights under your local laws."
Garmin Connect Privacy Policy (25 May 2018)
Under Armour
"The UA parties make no warranty that (a) the services will meet your requirements; (b) the services will be uninterrupted, timely, secure, or error-free; (c) the results that may be obtained from the use of the services will be accurate or reliable; (d) the quality of any products, services, information, or other material purchased or obtained by you through the services will meet your expectations; and (e) any errors in the services will be corrected."
"Certain sports organizations have rules on amateurism and eligibility that could potentially be implicated if you post User Content within the Services, even User Content that you believe is noncommercial in nature. It is your responsibility to determine whether posting User Content within the Services will affect your eligibility to participate in any sport under any applicable rules of any sports organization."
"Some unauthenticated Users may have the ability to extract location information from photos or videos that are posted by you with a "Public. Share With Everyone" designation."
"Upon your termination of your Account, you may request that we completely "purge" your Account, including deleting any and all User Content previously submitted. We will undertake commercially reasonable efforts to ensure that your User Content associated with your Account is purged when you terminate your Account, subject to the limitation that we may not be able to fully delete all of your User Content, specifically any User Content posted in our community groups, or on other User pages. In addition, we cannot wholly purge health index-related User Content upon the deletion of a User Account. We will, however, remove individually identifiable information upon the termination of your Account."
Under Armour Legal Policies (2014)"We may collect precise Location Data in several ways, such as through your wireless carrier, based on WiFi access point location, via Bluetooth beacons, through a connected device, or directly from the device on which you use the Services. If you choose to purchase apparel or products with specially embedded hardware to track the movement or location of the apparel or product, these technologies may also enable collection of precise Location Data. If you are accessing the Services through one of our mobile applications, the way we collect precise Location Data will differ depending on your mobile device's operating system. In all events, we do not collect precise Location Data, unless you have 'allowed' its collection. If you decline to allow Location Data collection in the app, we will not collect your precise Location Data unless you manually enter it in."
"We may also ask for your consent to share your Personal Data with certain Third Party business partners in order to offer certain goods, services, or programs. To withdraw consent, please go to the preferences of the specific third party service or app."
"We may ask for your consent to provide Personal Data to allow third parties to contact you regarding their products, services, Promotions, or offers. Typically this is in conjunction with a sweepstakes or challenge (your consent for third party marketing is generally not a pre-requisite to participation. To withdraw consent, please go to the preferences of the specific third party."
"We may request your consent to use your Personal Data for Research purposes. We may also request your consent to contact you to determine your interest to participate in certain Research initiatives and to share identifying results. For market research, we may ask questions on behalf of business partners and share your response with business partners."
"'Fitness and Wellness Data' includes data you provide related to your lifestyle (e.g., sleeping habits), life events, dietary restrictions, fitness goals, height, weight, measurements, fitness level, heart rate, sleep data, BMI, biometric data, and similar types of data relating to physiological condition, and activity. We collect this data in order to provide the Services and to tailor features, products, advertising, and services to your interests and goals, including providing meal suggestions, workout plans, training- and coaching-related services, and product recommendations (e.g., custom products)."
"We also collect Personal Data, including Fitness and Wellness Data, when you use a device that is connected to the Internet, such as heart rate monitors, activity trackers, and other devices or wearables that are not personal computers or mobile phones or tablets. When you use a wearable or connected device or product, we may also collect certain information about the device or product such as serial number, Bluetooth address, UPC, or other device- or purchase-related information."
"Within our Services there are four sharing settings: Private, Share with Friends, MyFitnessPal Members Only (only available within MyFitnessPal), and Public. Under Armour apps are designed for your wellness and fitness benefit. As such, you are able to control what Personal Data you share and with whom you share it. We encourage you to adjust the sharing settings to best meet your objectives and sharing comfort level. In the interest of safeguarding your Personal Data, we have outlined some initial default sharing settings."
"The Personal Data Under Armour processes, and all associated Services and systems, including registration, is housed on servers in the United States. If you are located outside of the United States, please be aware that Personal Data we collect will be processed and stored in the United States (the data protection and privacy laws in the United States may offer a lower level of protections than in your country/region)."
Under Armour Security and Privacy Policy (20 May 2018)
Google and Wear OS
"Google does not intend Google Fit to be a medical device. You may not use Google Fit in connection with any product or service that may qualify as a medical device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic (FD&C) Act."Google Fit Developers Terms of Service (28 October 2014)"We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:"We'll share personal information outside of Google when we have your consent. For example, if you use Google Home to request a ride from a ride-sharing service, we'll get your permission before sharing your address with that service. We'll ask for your explicit consent to share any sensitive personal information."
"We also use your information to ensure our services are working as intended, such as tracking outages or troubleshooting issues that you report to us. And we use your information to make improvements to our services — for example, understanding which search terms are most frequently misspelled helps us improve spell-check features used across our services."
"We use the information we collect in existing services to help us develop new ones. For example, understanding how people organized their photos in Picasa, Google's first photos app, helped us design and launch Google Photos."
"Many of our services let you share information with other people, and you have control over how you share. For example, you can share videos on YouTube publicly or you can decide to keep your videos private. Remember, when you share information publicly, your content may become accessible through search engines, including Google Search."
Google Privacy Policy (and definitions) (25 May 2018)
Samsung
"The Wearable Device and the Fit Software is intended for recreational purpose only, and is not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease or any other medical purposes. Certain data derived from the Fit Software is for informational purposes only and is not intended to be treated as a medical device nor replace the relationship between you and your physician or other medical provider. Do not disregard professional medical advice nor delay in seeking it because of something you have learned through the Fit Software."
"Samsung is not liable for any injuries, damages, losses and/or costs suffered by users, which are associated with the services and/or information, including recommendations, coaching, tips and/or guidelines, nor for the accuracy of any information provided or acquired by or accessed through Fit Software."
"Samsung will not be liable for any damages of any kind arising out of or relating to the use or the inability to use the software, its content or functionality, including but not limited to damages caused by or related to errors, omissions, interruptions, defects, delay in operation or transmission, computer virus, failure to connect, network charges, and all other direct, indirect, special, incidental, exemplary, or consequential damages even if Samsung has been advised of the possibility of such damages, some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above exclusions or limitations may not apply to you."
Samsung Gear/Gear Fit End ULA (1 January 2017)
"We combine information from or about you, including across different Services or devices, for purposes consistent with this Privacy Policy. For example, we use your Samsung account details across all of the Services that require a Samsung account. We also base our recommendations, customised content, and personalised features for your enhanced experience on the Services on the information you provide to us directly, through using the Services, browsing our website or through information provided to us from our trusted third parties to provide us with a better understanding of our customers."
"Where we use trusted third parties to enrich our database, we ensure that there is a legally enforceable agreement between us and the third party provider to ensure that any combined data has been lawfully obtained from you. Depending on the reason for which we combine the data, and on the requirements of applicable law, specific controls for such combination will be made available to you, for instance in device or application settings menus, or by visiting our webpage which provides you with the opportunity to exercise your individual rights under data protection law. Please visit GDPR Support page."
"We also may collect other information about you, your device, or your use of the Services in ways that we describe to you at the point of collection or otherwise with your separate consent where required.
You can choose not to provide us with certain types of information (e.g. information we request during Samsung account registration), but doing so may affect your ability to use some Services. We will provide you with relevant information at the time of collection to help you make an informed decision."
"We may disclose your information internally within our business to the relevant teams such as, without limitation, the customer services team, the legal team, the finance team, the sales team, and where you have chosen to receive marketing messages, the marketing teams. We may also disclose your information to the following entities, only to the extent that this will be necessary to perform the Services:
"We may disclose your information to a third party as part of a merger or transfer, or in the event of a bankruptcy.""In addition to the disclosures described in this Privacy Policy, we may share information about you with third parties when you consent to or request such sharing."Samsung Privacy Policy (25 May 2018)Additional research by Rob Cappellina. Additional words by Conor Allison.