Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• Wearable owners need to understand how their data is being handled.
• The US lacks federal regulations around consumer health data.
• Consumers should properly manage their data and explore privacy policies.

Our modern smartwatches and smart rings go far beyond counting steps, constantly collecting data on our fitness, sleep, fertility, and so much more, and uploading them to an app. (Remember the days when we were told not to share any information online? How quaint.) But this widespread adoption raises new questions about data privacy, security, and your rights — because who actually owns all of that health data, you or the company collecting it?

The more data we collect, the more risk we take on of having our information compromised in a breach, or potentially having companies sell that data to third parties for marketing, insurance profiling, or other purposes that you don’t even know you’re opting into.

“People were cautious years ago when it came to more sensitive data types, but increasingly they’re finding enormous value in being able to access and use that information,” Jules Polonetsky, CEO of the Future of Privacy Forum, a nonprofit focused on consumer data protection, told ZDNET. “The downside is they’re not always taking the time to think through where, when, and how they ought to be taking any precautions.”

Over 20 states have now passed comprehensive data privacy laws, which generally give consumers the right to access, delete, and opt out of the sale of their personal information. However, they vary by state, and without federal regulation, what’s left is a patchwork quilt of requirements. 

Meanwhile, more than 560 million people worldwide now own smartwatches — including more than 1 in 4 Americans, according to Statista. “Consumers are increasingly interested in downloading, accessing, and using their health data for fitness, or managing their family’s health records, but really have to be sleuths to understand whether or not they are protected based on the state they’re in,” Polonetsky said. “The number one thing we need is a federal privacy law, which includes at least a minimum of health data protection outside of HIPAA.”

Contrary to popular belief, HIPAA (or the Health Insurance Portability and Accountability Act, passed in 1996) does not cover data collected by wearables, which are not considered covered entities, unlike healthcare providers.

That means it often falls on you as the consumer to determine how to protect yourself and your data.

Who can you trust?

With the lack of federal regulation, “what governs the use and protection, collection and sharing of your personal data and health data in all of these instances is the terms of service and privacy policies,” Caitlin Fennessy, vice president and chief knowledge officer of the nonprofit International Association of Privacy Professionals, told ZDNET. Those terms of service are designed to align with legal requirements and the company’s own approach to processing the data. 

A 2025 analysis published in the peer-reviewed journal npj Digital Medicine evaluated the privacy policies of 17 leading wearables manufacturers, using a rubric of 24 criteria across transparency, data collection purposes, data minimization, user control and rights, third-party data sharing, data security, and breach notification. 

Based on that rubric, Google, Apple, and Polar had the lowest risk scores (as in, they had the strongest privacy protections for consumers), and Xiaomi, Wyze, and Huawei had the highest risk scores. 

“Our findings highlight inconsistencies in data governance across the industry and underscore the need for stronger, sector-specific privacy standards,” the paper noted.

People who care about privacy will often decide which wearable to buy based on how much they trust the manufacturer generally, rather than by examining a privacy policy, Fennessey said. For example, if you’re in the Apple ecosystem and have been happy with how they’ve handled your data, you’re probably more likely to choose an Apple Watch over another brand. Some of that comes down to how these companies market their privacy offerings.

Seeking transparency

The companies most focused on privacy and security will typically provide clear, well-publicized information on how data is handled, such as whether it remains on the device versus in the cloud, whether it is end-to-end encrypted, and whether it is shared with third parties. 

“Often organizations that are trying to build their brand and reputation around privacy for these wearables will have those high-level points of information out there quite transparently and publicly, so there is a layer of quick diligence you can do when you are looking at these wearables that does not require you to read the legalese of terms of service and privacy policies,” Fennessey said.

On the other hand, if you don’t see this information out there transparently, then these probably aren’t features they are prioritizing, she added — so proceed with caution.

Another key consideration: How is this company actually making money? 

“If you’re paying a good chunk of money for a watch or a ring and a paid service, they’ve got a significant incentive to keep you happy,” Polonetsky said. “If it’s free, you really want to look closely and understand where and how someone’s giving you a free service. If they’re not a charitable enterprise or a HIPAA-covered medical provider, somewhere monetization is happening, and it’s probably your data.” 

In other words, if it’s a free service or a very cheap device, your data is probably the product. That might mean it’s being sold to third parties or advertisers who you wouldn’t necessarily want to know the ins and outs of your health.

Steps to protect yourself

Besides paying attention to manufacturers’ privacy promises and reputations, there are a few practical steps you can take to protect the data collected on your smartwatch or smart ring: 

• Read the privacy policy (or at the very least ask a chatbot for a summary, or search for the word “data” to find specifics about where your information is going). Look for those transparent, public-facing messages around privacy and data security from companies when shopping for a wearable.
• If you have a smartwatch or smart ring you aren’t using anymore, delete your data from it. You don’t want data sitting there unused in the event that the company is breached down the line.
• Check what devices your phone and wearables are connected to. Both Apple and Google will show you what services you’re connected to, and you should audit that every once in a while. For example, sometimes a piece of exercise equipment at your gym can connect to your smartwatch. You might use the feature, and then forget about it. But your watch could still be sharing information with that treadmill. 
• If you’re using an AI chatbot to analyze your health data collected by wearables and you don’t want it to train on your data, make sure you’ve checked your settings and toggled off the option to use your data for training, or that you’re using a temporary chat. (It’s also best practice not to upload any documents with personally identifiable information — make sure you redact or anonymize everything first.)

“Telling people ‘don’t share sensitive information,’ which was pretty good advice a number of years ago, is no longer tenable,” Polonetsky said. “People are finding incredible value in being able to analyze their health records. It’s now about understanding who you’re sharing with, and whether or not you’re using a service that is in the business of monetizing your data.”