Government agencies have launched investigations into the sale of user location data from health and wellness apps by data brokers. These actions come as consumer privacy concerns escalate, particularly regarding sensitive medical information tied to individuals’ movements. Regulators seek to determine if the practices of data brokers comply with privacy laws and ethical standards.
Background of Data Collection in Health Apps
Millions of people use health and fitness apps to track exercise, diet, menstrual cycles, and medication schedules. These apps commonly request users’ location data, sometimes to improve services or personalize advice. Often, individuals are not fully aware of where their data goes or how it is used beyond the app’s features. Many app operators share or sell the information to third-party brokers, who then distribute it to marketers, insurers, and sometimes other agencies.
This ecosystem allows the transfer of deeply personal data, including users’ visits to clinics, hospitals, addiction centers, or even reproductive health providers. As a result, there is a growing concern that sensitive location information could be used to profile or harm individuals, intentionally or inadvertently. The lack of strong legal safeguards around health-related location data compounds the problem.
Regulatory Agencies and Their Concerns
State and federal agencies, including the Federal Trade Commission (FTC), are scrutinizing data brokers that buy and sell mobile app location data. Regulators question whether these companies obtain proper user consent before collecting and trading this information. They are also concerned that disclosure in privacy policies may not be clear or accessible to average app users.
The probes focus on whether data brokers violate the Health Insurance Portability and Accountability Act (HIPAA) or other federal and state privacy laws. While HIPAA covers medical providers and insurers, it does not broadly protect health data in commercial apps. This regulatory gap leaves users vulnerable and creates uncertainty for companies handling such data.
How Location Data Is Gathered and Sold
Health and wellness apps often collect GPS or Wi-Fi location data each time a user opens them. Users typically agree to data collection by accepting lengthy privacy policies or app permissions. These documents may not make clear that location histories could be sold to third parties for profit.
Data brokers receive bulk datasets, sometimes anonymized, linked to mobile advertising IDs instead of names. Still, research shows it can be possible to reidentify individuals based on movement patterns and addresses. Once brokers obtain the information, they may sell it to marketers, advertising agencies, or other businesses wanting detailed consumer profiles. Occasionally, law enforcement or government entities also purchase access to such data.
Civil Liberties and Health Equity Risks
Advocates warn that sharing exact location data from health apps could have serious consequences for civil liberties and health equity. For example, location trails could reveal visits to fertility clinics, HIV treatment centers, addiction support meetings, or mental health providers. Public disclosure or misuse of this information could subject individuals to stigma, discrimination, or even legal threats, particularly in regions with restrictive health laws.
Communities already experiencing health disparities could face heightened surveillance or targeting. Data leaks or breaches could enable malicious actors to track people seeking sensitive medical care. These potential outcomes amplify calls for regulatory reforms and corporate accountability.
Industry Defenses and Compliance Measures
App developers and data brokers argue that they typically de-identify and aggregate data before sharing it with clients. They claim this practice protects individual privacy and precludes reidentification. Companies also point to built-in opt-outs and user controls provided in app settings.
Many firms assert that users provide consent, at least implicitly, when they accept privacy policies or permissions on initial setup. They also highlight compliance with legal requirements in their operating regions. Still, critics argue that disclosures are often buried in lengthy documents and do not reflect meaningful, informed user choice.
Enforcement Actions and Legal Developments
Regulators have subpoenaed several data brokers and mobile health app companies to gather information about their data collection and sharing practices. Some firms have received notices regarding potential violations or upcoming enforcement actions. The FTC, in particular, has made public statements discouraging the sale of sensitive location data without explicit, informed consent.
Several U.S. states have introduced or passed legislation to prohibit or tightly regulate the sale of location data linked to health services. These laws often mandate clear consent, limit resale of data, and empower users to delete their information. Ongoing court cases may test the limits of existing consumer protection and privacy laws in the context of health app data.
International Perspective on Health Data and Privacy
The regulatory focus in the U.S. echoes efforts in Europe and other jurisdictions to bolster data privacy in the health sector. The European Union’s General Data Protection Regulation (GDPR) treats location and health data as highly sensitive, requiring explicit consent for processing. Noncompliance can incur steep penalties, encouraging better privacy practices among app developers and data brokers serving European markets.
By contrast, the U.S. continues to operate with a patchwork of state laws and sector-specific regulations. This difference leaves many American consumers with weaker protections for digital health location data.
The Push for Clearer User Consent and Control
Policy experts and privacy advocates urge stronger requirements for user consent around the sharing of health and location data. They recommend shorter, clearer privacy notices and more granular controls over data sharing. App stores and device manufacturers may also play a role by requiring stricter disclosures and allowing users to manage data permissions more easily from central dashboards.
There is momentum for privacy-by-design, where user interests are considered from initial development stages. This shift would help ensure users do not accidentally agree to share sensitive information with unknown third parties.
What This Means for App Users
Consumers using health and wellness apps should review privacy policies and app permissions regularly. They should seek apps that minimize unnecessary data collection and offer clear privacy controls. Users can also leverage device settings to limit location tracking, especially for sensitive health-related apps.
Until laws catch up, personal vigilance remains crucial to protecting one’s location and health information. Individuals can also advocate for stronger privacy rights by contacting lawmakers and supporting regulatory reform efforts.
Looking Ahead: The Future of Data Privacy in Health Apps
Regulatory probes into data broker practices mark a significant step toward transparency and accountability in digital health. As investigations continue, companies may change their practices to avoid legal and public backlash. Policymakers are more likely to consider sweeping reforms as public awareness of these issues grows.
Long-term, the outcome of these probes may influence the design and operation of health apps and the entire data broker industry. Moving toward ethical, user-centered data management benefits consumers, companies, and society as technology becomes further enmeshed in healthcare.
