Are current regulations adequate for ensuring the security of wearable data?

Wearables are common in consumer circles and growing in commercial applications like health care. This shift is largely positive, as such devices can expand medical access, track employee safety, and give users more control over their health and wellness. However, all this data collection also comes with a dark side.

As the wearable market grows, the companies running these gadgets will generate more consumer data than ever before. That includes significant biometric information like heart rates, body temperature, blood oxygen levels and sleep activity. Many devices may also access biometric data from users’ phones, including facial recognition or fingerprint identification.

Such massive troves of information naturally incur higher cybersecurity risks. Data privacy laws have likewise increased — at least 40 states have at least considered them in 2023 alone — but are the measures enough?

The state of wearable data security regulations today

Wearables may fall under numerous regulations depending on the industry, end use and location. Medical smart devices face more than most, largely because of the Health Insurance Portability and Accountability Act (HIPAA) and their reliance on more biometric markers. While the makers of these items fall outside of HIPAA jurisdiction, the code still applies to how hospitals and similar entities can use the data they generate.

HIPAA requires getting users’ consent to share health data — including biometrics — and requires “reasonable security protections,” as well as documentation of those defenses. The FTC’s Safeguard Rule has similar requirements for financial institutions. These include implementing access controls, encryption and multifactor authentication (MFA) over customer data, such as fingerprint or facial recognition.

Some region-specific laws offer additional protections. The California Consumer Privacy Act (CCPA) lets California users opt out of data collection, see what information companies collect and request its deletion. Europe’s General Data Protection Regulation (GDPR) has similar guidelines. This legislation does not specifically target wearable-derived biometric data, but it does restrict how organizations can use it.

Similarly, there are state-specific regulations over biometric data — whether from a wearable or not. The Illinois Biometric Information Privacy Act (BIPA) is a prime example. This law requires explicit user consent to collect biometric identifiers, issues a mandatory deletion policy and mandates a “reasonable standard of care” when securing such information in storage and transit. Washington and Texas have similar codes, and at least 12 other states have proposed biometric privacy bills.

The FCC’s IoT Cybersecurity Labeling Program is also worth noting. This voluntary framework requires Internet of Things devices — which includes wearables — to meet standards for data privacy, access controls and secure updates to receive certification. It may not be mandatory, but it offers a standard consumers can look to for more trust in their electronics.

Where regulations could still improve

While multiple security laws cover wearables and related biometric data, today’s regulations are still insufficient compared to the risks. Notably, there are too many exceptions and generalities.

For example, HIPAA and BIPA do not specify what constitutes “reasonable protection.” As a result, companies could use outdated or incomplete security measures, endangering sensitive information while technically remaining compliant. Regulators may find them guilty of not doing enough after the fact, but these consequences only apply after a breach has occurred.

Similarly, today’s regulatory landscape is not comprehensive. HIPAA applies to health organizations that use wearable data but not to manufacturers. The FTC’s Safeguard Rule only affects financial institutions. State and regional laws offer added protections but don’t cover all U.S. citizens. Even the most wearable-specific code — the FCC Labeling Program — is voluntary and, as such, leaves users vulnerable.

The U.S. needs a comprehensive and specific national privacy law for its regulations to be enough to ensure wearable biometric security. Congress introduced such a bill in 2022, but whether it will become law and how it might change is still uncertain. The same goes for the National Biometric Information Privacy Act — which covers regulations similar to those of the Illinois BIPA, which was introduced in 2020. Until then, companies and their customers must take thorough security into their own hands.

Businesses hoping to get ahead of the curve should implement real-time breach monitoring, encryption and strict access controls. Minimizing wearable data collection is also ideal, as it reduces what they must secure. Users can take steps like limiting the biometric information they give away on wearables, using MFA and requesting deletion where they have the right.

The nation’s legislation has yet to catch up to today’s security concerns. Organizations and consumers should recognize these gaps to stay safe when using wearables. Greater attention to the issue and calls for comprehensive laws will get wearable biometric security where it needs to be.

About the author

Jack Shaw is a seasoned industry writer and the senior editor of Modded. In his writing, he combines his passion for health with his expertise on technological developments to deliver engaging content that resonates with enthusiasts worldwide. His writings have been published by the EPSNews, Advanced Manufacturing, Packaging Digest and more.

Article Topics

biometric data  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  CCPA  |  data privacy  |  GDPR  |  HIPAA  |  legislation  |  location data  |  wearables