The Fitbit Fault Line: Two Proposals to Protect Health and Fitness Data at Work.

Employers are collecting and using their employees' health data, mined from wearable fitness devices and health apps, in new, profitable, and barely regulated ways. The importance of protecting employee health and fitness data will grow exponentially in the future. This is the moment for a robust discussion of how law can better protect employees from the potential misuse of their health data. While scholars have just begun to examine the problem of health data privacy, this Article contributes to the academic literature in three important ways. First, it analyzes the convergence of three trends resulting in an unprecedented growth of health-related data: the Internet of Things, the Quantified Self movement, and the Rise of Health Platforms. Second, it describes the insufficiencies of specific data privacy laws and federal agency actions in the context of protecting employee health data from employer misuse. Finally, it provides two detailed and workable solutions for remedying the current lack of protection of employee health data that will realign employer use with reasonable expectations of health and fitness privacy. The Article proceeds in four Parts. Part I describes the growth of self-monitoring apps, devices, and other sensor-enabled technology that can monitor a wide range of data related to an employee's health and fitness and the relationship of this growth to both the Quantified Self movement and the Internet of Things. Part II explains the increasing use of employee monitoring through a wide range of sensors, including wearable devices, and the potential uses of that health and fitness data. Part III explores the various regulations and agency actions that might protect employees from the potential misuse of their health and fitness data and the shortcomings of each. Part IV proposes two specific measures that would help ameliorate the ineffective legal protections that currently exist in this context. In order to improve employee notice of and control over the disclosure of their health data, I recommend the adoption of a mandatory privacy labeling law for health-related devices and apps to be enacted and enforced by the Federal Trade Commission (FTC). As a complementary measure, I also recommend that be amended so that its protections extend to the health-related data that employers may acquire about their employees. The Article concludes with suggestions for additional scholarly discussion.