Skip to Content

Data Privacy in the age of wearables

Are Our Smart Devices Outpacing Our Privacy?

If your wrist watch can track your heartbeat, your oxygen level, your menstrual cycle, your daily steps, and even your sleep habits what else can it track that you may not realise?

Welcome to the age of wearable technology where convenience, fitness, and lifestyle optimisation meet continuous surveillance. Whether it’s a smartwatch, fitness band, smart glasses, or health tracker patches, these devices are no longer just accessories. They are always-on data collectors, embedded in our daily lives.

In India, the market for wearables grew over 80% in 2023 and is expected to reach $231.0 billion by 2032 globally, with smartwatches leading the surge. While this innovation improves healthcare access and real-time monitoring, it has also opened the door to invisible data mining, weak security architecture, and vague consent mechanisms.

This blog explores how wearables handle our most sensitive data, what privacy concerns are emerging, and how India’s upcoming Digital Personal Data Protection Act (DPDPA) may offer a way forward.

What Data do Wearables collect?

Modern wearables collect much more than steps and calories. Here's a snapshot of what they often track:

  • Biometric data: heart rate, body temperature, oxygen levels, ECG, menstrual health
  • Location data: GPS, movement patterns
  • Sleep cycles: duration, depth
  • Device interactions: voice commands, app usage, notifications
  • Behavioral patterns: gesture tracking

Now imagine if this data is stored insecurely, shared with third-party apps, or accessed without your knowledge. You might just be walking around with a live data leak on your wrist.

Privacy Risks that no one is talking about: -

Informed Consent is Missing

Many wearable brands offer vague privacy policies that users barely read. In India, where digital literacy varies widely, most users are unaware of how their data is processed or shared.

Third-Party App Integration

Fitness apps like Strava, Google Fit, or Apple Health often sync data across platforms. But are Indian users aware if this data travels outside the country?

Cloud Storage and Cross-Border Transfer

A vast portion of wearable data is stored on cloud servers outside India, often with inadequate legal protections. Under GDPR, this may be illegal without proper safeguards. Under DPDPA, this will require specific user consent and purpose limitation.

What Does DPDPA Say About?

India’s Digital Personal Data Protection Act (DPDPA) passed in 2023 offers hope. Here's how it may apply to wearables:

  • Consent-based processing: All data must be collected with clear, informed consent.
  • Purpose limitation: Data collected for fitness cannot be reused for insurance profiling without consent.
  • Right to access & erase: Users can demand access to their wearable data and ask for its deletion.
  • Data fiduciary duties: Wearable brands become legally accountable for security and lawful processing.

While DPDPA enforcement is still evolving, it gives users a framework to push back against intrusive data practices.

Data breaches by Wearable

In 2021, researchers uncovered an unprotected GetHealth database exposing over 61 million records from Apple HealthKit and Fitbit users. This repository included names, birth dates, gender, weight, height, and precise geolocation data—all freely accessible without authentication.

Earlier, in 2018, the fitness app Strava faced backlash after its global “heat map” feature unintentionally exposed users’ location traces—mapping routes frequently used for jogging or cycling. Alarmingly, this data revealed sensitive sites like military bases and private residences, sparking massive privacy concerns.

In 2019, Fitbit suffered a breach affecting more than 100 million users. An exploitable vulnerability allowed unauthorized parties access to personal info—names, email addresses, birth dates and even sleep data. The company responded by forcing password resets, notifying affected users, and increasing encryption and monitoring efforts.

Finally, in 2020, Garmin fell victim to a major ransomware attack (WastedLocker), encrypting user data and disrupting services. Though privacy data compromise was indirect, users couldn’t sync fitness records or access their history—highlighting vulnerabilities in wearable back-end systems.

Together, these incidents underscore a critical lesson: massive sensitive data exposure, location tracking exploitation, authentication weaknesses, and backend infrastructure vulnerabilities remain pressing privacy risks in the wearable ecosystem.

What Users Can Do?

For Users:

  1. Check app permissions: Disable unnecessary access to mic, location, or contacts.
  2. Use devices with local storage: Limit auto-upload to foreign servers.
  3. Read privacy policies (yes, even the small print).
  4. Use a passcode/lock for your wearable.

For Startups/Developers:

  1. Implement privacy-by-design: Only collect what is absolutely necessary.
  2. Conduct DPIAs (Data Protection Impact Assessments), especially if handling health or children’s data.
  3. Disclose third-party data sharing transparently.

More data, less Privacy?

As wearables become more intelligent and intrusive, India must prepare to balance innovation with personal autonomy. A smart ring may help you track sleep, but without strong legal and ethical safeguards, it could also become a gateway to micro-surveillance.

These gadgets collect sensitive data like location, health stats, and habits yet many users remain unaware of how their data is used or shared. To protect digital dignity, India must enforce its data protection law effectively, ensure privacy-by-design in wearable tech, and promote user awareness. Introducing a government-backed privacy certification and empowering regulators can further build trust. The future of wearables in India must strike a balance leveraging innovation while safeguarding personal privacy, so that Digital Bharat is not just smart, but also secure.

References

  1. JayatiDubey https://www.digitalhealthnews.com/privacy-concerns-with-wearable-health-devices-what-you-need-to-know
  2. Ipleaders https://blog.ipleaders.in/wearable-technology-and-privacy-concerns-all-you-need-to-know/
  3. Cyberpeace https://www.cyberpeace.org/resources/blogs/wearable-tech-navigating-privacy-compliance-and-misinformation
  4. School of Engineering https://cdh.brown.edu/news/2023-05-04/ethics-wearables
  5. Digital Personal Data protection Act, 2023.

By Prasann Tripathi

Share this post
Top 5 Privacy Fails of 2024 (And What We Learned)