Georgetown Law
Technology Review

Modern Society and Its Risks

When Oura announced a collaboration in August 2025 with the Department of Defense (DoD) and Palantir, a large data analytics firm, fear rippled across the internet. Many users were concerned that Oura would sell or share their personal health data with the United States government or Palantir. However, Oura’s CEO rejected those claims, stating that the company’s DoD-related work does not provide the government or third parties with access to individual users’ health information. This type of public concern is amplified by the rise of consumer medical technologies such as wearable fitness devices, menstrual tracking apps, and direct-to-consumer genetic testing services. These developments expanded health data collection beyond traditional medical settings, raising key privacy issues including tracking, data commodification, and user identification. Moreover, many people have the misconception that all health data is protected by the Health Insurance Portability and Accountability Act (HIPAA). However, HIPAA has almost no authority over consumer medical technology companies.

Consumer medical technologies pose three key privacy risks that expose the inadequacy of existing U.S. privacy law. First, companies may sell sensitive health data to third parties without users’ knowledge. This happened last year, when a California jury found that Meta illegally collected reproductive health information from millions of Flo app users without their consent, exploiting the immense commercial value of such data to advertisers. Second, companies could use consumer medical technology to surveil individuals and make inferences about their personal lives. For instance, health data stored in period-tracking apps could be used to infer whether the user has had an abortion to prosecute them in states where abortion is now banned. Third, the health data collected could be hacked and allow sensitive health data to be collected by unknown entities. Such an attack happened to 23andMe when hackers bypassed the company’s cybersecurity and collected approximately 7 million customers’ genetic information.

This Legal Impression argues that the continued growth of consumer medical technologies and data-sharing practices is driven by weak legal protections under existing U.S. privacy law. To address this, companies should be required to adopt limited, intelligible, purpose-based rationales for data processing, as seen in the General Data Protection Regulation (GDPR), and individuals should have a private right of action against companies that exceed those specified purposes.

The Existing Legal Frameworks

A significant number of the applicable legal frameworks in the U.S. are older and have statutory requirements incompatible with modern data use and technology. As discussed, people are under the misconception that HIPAA applies to all health data, but the act has almost no authority over private companies. The exception to this rule is for companies that qualify as “business associates” of medical providers and healthcare insurers under HIPAA, but the exception is narrow and fails to cover a significant portion of consumer medical technology companies. Meanwhile, Section 5 of the Federal Trade Commission (FTC) Act allows the FTC to go after companies who have engaged in unfair or deceptive acts or practices. However, this standard is nearly impossible to meet when users voluntarily agree to complex privacy policies. The Computer Fraud and Abuse Act similarly falls short. The statutory language is ambiguous, leading to broad and inconsistent applications. 

Additionally, Congress is deeply dysfunctional, and state laws are also insufficient at protecting individuals’ health data because they often suffer from intelligibility concerns. One state privacy statute is the California Privacy Rights Act (CPRA). The CPRA allows companies to sell consumer data unless an individual opts out of data sharing, but because most people do not feel adequately informed about what they are reading when reviewing a privacy policy, they are unlikely to comprehend the opt-out process. Meanwhile, Washington state’s My Health My Data Act requires that companies obtain consumers’ consent  to collect health data and that they obtain separate consent to sell the data. However, this statute falls short because even if customers attempt to read the medical, technical, and legal jargon involved in companies’ multitude of consent agreements, the likelihood they truly understand the full implications of these complex consent agreements is slim. Consequently, they are more likely to give misinformed and therefore insufficient consent. Overall, even state laws enacted during the rise of consumer medical technology fail to adequately protect users, as notice and transparency requirements are meaningless without genuine comprehension.  

Potential Solutions

The EU’s GDPR, specifically its purpose-based processing provisions, offers the U.S. a solution for the rampant distribution of health data collected from consumer medical technology. The GDPR provides strict purpose-based requirements for the processing of sensitive categories of data, such as health data, and lays out specific requirements for consent, including that the request for consent be “intelligible and easily accessible.” Purpose-based requirements are the reasons that companies can give in order to be allowed to use consumers’ health data. The list of acceptable reasons is short and specific, which limits how companies can use their customers’ data. If the U.S. adopted purpose-based processing requirements and intelligible consent requirements like the GDPR, then consumer medical technology companies would be less likely to escape accountability for commodifying consumers’ health data by hiding such requests in complex privacy policies.

The best way to apply such a statute in the U.S. would be to create an agency whose sole responsibility would be to publish guidelines, enforce compliance, and issue fines related to the act, similar to the current role of the European Data Protection Board and Data Protection Agencies in enforcing the GDPR. By allowing one agency to focus on data privacy matters, the U.S. would be able to generate strong, standardized data privacy protections as opposed to a patchwork of state regulations. Meanwhile, the agency would not conflict with the FTC as a regulator because Congress could, and should, simply give the agency sole control over data privacy matters. Congress has the power to create new agencies and has historically done so when certain regulatory topics have become too expansive and cumbersome. There is no reason why Congress cannot do so now with data privacy protection. In fact, this would free up the FTC to focus on its various other objectives. Moreover, the agency could make sure consent was intelligible by spot-checking the privacy policies entities give consumers, similar to how the Environmental Protection Agency currently spot checks vehicles for compliance with emissions standards. By spot-checking, the agency would create an environment where companies took intelligibility and consumer data privacy seriously out of fear of legal penalties because they would never know when they might be the company spot-checked.

Another way to hold consumer medical technology companies accountable is to create a private right of action for data privacy violations, as in Illinois’ Biometric Information Privacy Act (BIPA). Unlike most data privacy statutes in the U.S., BIPA allows individuals to sue entities that collect and then misuse individuals’ biometric identifiers. Individuals can recover damages for every instance of a negligent or intentional violation. Given that 78 percent of Americans use healthcare applications and some consumer medical technology companies have millions of customers, the damages claims the companies might face under a federal data privacy statute with a private right of action would be staggering. The potential liability of large-scale damages would incentivize companies with large user bases to better safeguard consumer data. A statute with a private right of action would also force companies to bolster their cybersecurity, lessening the risk they would get hacked and consequently improving their protections of customers’ data. 

Conclusion

Individuals’ health data collected from consumer medical technology faces numerous privacy risks, and those who suffer from the abuse of their health data in the U.S. have little recourse within the legal system, which exacerbates the problem. In the current regulatory regime, its buyer beware. However, it is time for the government to create a new regulatory regime that sends a different message: company beware.