
Your smartwatch knows your resting heart rate. Your fitness tracker logs your sleep cycles. Your glucose monitor shares data with an app on your phone. Millions of Americans now wear devices that collect extraordinarily intimate health information around the clock, but most users have no idea where that data goes after it leaves their wrist.
The legal framework governing wearable health devices and biometric data privacy is still catching up to the technology. But that does not mean consumers are without rights. Laws like the Illinois Biometric Information Privacy Act (BIPA) and the California Consumer Privacy Act (CCPA) are giving individuals real tools to hold companies accountable when their most personal data is mishandled, sold, or exposed. If you have ever worn a fitness tracker, smartwatch, continuous glucose monitor, or any health-sensing wearable, this article explains what you can do if those rights have been violated.
Modern wearable devices go far beyond step counts. The data harvested by these platforms increasingly falls into the category of biometric data — unique physical or behavioral characteristics that identify an individual. This can include heart rate and cardiac rhythms, blood oxygen saturation, sleep staging and duration, skin temperature fluctuations, electrodermal activity and stress indicators, menstrual cycle tracking, and ECG readings.
Increasingly, however, legal scholars and litigants are arguing that health metrics captured continuously over time can function as biometric identifiers because they form a biological fingerprint unique to each user. Courts are actively working through these questions, and the stakes are high.
Litigation involving wearable devices and health data is accelerating. Several high-profile cases illustrate where legal exposure is developing and what consumers have at stake.
Health and biometric data is not like a leaked email address. Once your biometric profile exists in the wild, it cannot be changed. You can get a new password. You cannot get new fingerprints. You cannot change your unique cardiac signature. The permanence of biometric data makes its exposure categorically more harmful than most other privacy violations.
Health data collected by wearables can be used by insurers, employers, and data brokers in ways that may affect your coverage, employment, or creditworthiness. Sleep disorder data could affect life insurance underwriting. Cardiac irregularity data, if exposed, could make you a target for health insurance discrimination.
Concerned Your Wearable Data Privacy Rights Have Been Violated? Contact The Lyon Firm today for a free, confidential case evaluation. Our attorneys handle BIPA claims and health data privacy cases nationwide.
The Federal Trade Commission has signaled clearly that health data collected by consumer apps and wearable-adjacent platforms is not beyond its reach — even when HIPAA does not apply. In 2023, the FTC took action against GoodRx, a health technology company, for sharing users' sensitive prescription and health data with Facebook, Google, and other advertising platforms without authorization.
Similarly, the FTC pursued BetterHelp, an online therapy platform, for disclosing users' mental health data to Facebook and Snapchat for advertising retargeting. BetterHelp agreed to a $7.8 million settlement.
The FTC's enforcement trajectory suggests that companies collecting biometric and health data through wearables face growing federal scrutiny — and that the legal risk is no longer confined to state-level statutes like BIPA.
A growing segment of the wearable market targets children and fitness trackers, GPS-enabled smartwatches, and health monitors are marketed to parents for monitoring their kids' activity, location, and vitals. The Children's Online Privacy Protection Act (COPPA) prohibits the collection of personal information from children under 13 without verifiable parental consent, and the FTC has consistently interpreted this to include location data, biometric identifiers, and health information.
In 2018, the FTC brought an action against VTech Holdings after a data breach exposed personal information of millions of children, including voice recordings and photos collected through connected devices. The case resulted in a $650,000 civil penalty.
Parents who purchased wearable devices for their children and later discovered that the platform was collecting, retaining, or sharing biometric or location data without adequate COPPA-compliant consent may have viable claims. Given that children's biometric data carries the same permanence risks as adult data — and that children cannot meaningfully consent to its collection — courts and regulators treat violations in this space with particular seriousness. If your child's health or location data has been collected without your informed consent, contact The Lyon Firm to discuss your legal options.
Most wearable device users understand that their data goes to the app on their phone. Far fewer understand where it goes next. A sprawling and largely unregulated data broker industry purchases, aggregates, and resells health-adjacent data derived from consumer devices. These brokers compile detailed profiles that can include inferred health conditions, activity patterns, sleep disorders, stress levels, and reproductive health data — all derived from wearable sensor readings that users believed were private.
If you have reason to believe your wearable health data was sold to third parties or data brokers without your meaningful consent, you may have a claim under BIPA, the CCPA/CPRA, or federal consumer protection law. An attorney experienced in health data privacy can evaluate the specific facts of your situation and advise on the best path forward.

If you believe a wearable device company has collected, shared, sold, or mishandled your biometric or health data without your informed consent, you may have legal options available to you. First, document everything — preserve your account information, privacy settings, and any communications from the company. Request a copy of your data from the company and review what has been collected and with whom it has been shared. Then consult with an attorney experienced in biometric privacy and health data law before the statute of limitations runs.
The Lyon Firm has built a national reputation representing individuals and classes of consumers in complex data privacy litigation, including biometric privacy cases under BIPA and health data privacy claims. When corporations collect your most sensitive biological data for profit without your knowledge or consent, The Lyon Firm fights to hold them accountable.
Whether you are pursuing an individual BIPA claim, joining a class action, or exploring your options after a data breach involving health information, The Lyon Firm has the experience and commitment to see your case through.
Take Action Today. If a wearable device company collected your biometric or health data without your knowledge or consent, you may be entitled to significant statutory damages. The Lyon Firm offers free consultations and handles BIPA and health data privacy cases on a contingency basis — no fee unless you win. Call us or submit your information online to speak with an attorney about your rights.
Taking the first step doesn’t have to be complicated. In just a few minutes, you can share the basics of your case, and our team will guide you from there: