Online platforms allow people to browse through an inordinate amount of subjects until their attention is caught. As a result, novel ideas can go viral with a few taps and quickly reach an audience far outside a person's individual network. Because of this, lifestyle topics, trends and online debates are more prolific and pervasive than ever. The psychology of attracting attention and audiences aside, it is indisputable that the practices of a few can quickly transform into opportunities for innovative companies.
With the goal of pursuing optimal health and performance, precision nutrition is just one example of a health trend gaining increasing social media attention. Although academic definitions differ, precision nutrition is the practice of understanding a body's unique response to dietary exposures and how they impact one's nutritional status. Commercial wearable health technology devices have made precision nutrition practices easier and more accessible to the average consumer than ever before.
Glucose monitoring, once primarily associated with diabetes management, is now emerging as a preeminent example of health technology in the realm of precision nutrition. Continuous glucose monitors are small, worn devices that pair with an app to provide real-time monitoring of blood glucose levels in a readable format. This allows each person to learn about their internal metabolic response and gain insights into how their body responds to specific foods, activities and lifestyle choices. This individuality is key because the body's response to a specific food or workout differs from person to person. Analysis on such a micro level theoretically allows for precise planning and adjustments that support metabolic health, performance goals or other priorities for a given individual.
In the U.S., the data CGMs gather is protected by the Health Insurance Portability and Accountability Act if it is collected by covered entities or business associations, as well as a medley of emerging health data laws at the state level. For example, Washington's My Health My Data Act places significant regulations on health technology devices that collect biometric information. The MHMDA defines biometric data as data "generated from the measurement or technological processing of an individual's psychological, biological or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data." Biometric data falls under the broader category of consumer health data, which is defined as "personal information linked or reasonably linkable to a consumer that identifies the consumer's past, present, or future physical or mental health status."
Under the MHMDA, the collection, sharing or selling of biometric data, as part of consumer health data, requires consent from the consumer. This consent must be specific, informed, voluntary and signified through a clear, affirmative act rather than obtained through broad terms-of-use agreements, deceptive designs or passive actions like hovering a cursor over content on a website.
Consumer health data is an emerging trend in the state patchwork of privacy laws. In addition to the MHMDA, Connecticut and Nevada have both enacted regulations concerning and protecting consumer health data, although the laws define the term differently. The proposed New York Health Information Privacy Act defined regulated health information as "any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual." Although the bill did not pass the legislature before the session closed, if it had been successful, it would have imposed stringent requirements on organizations that collect health information, as defined, for any New York resident, even those located outside the state. While online promoters and influencers focus on the benefits of CGMs for dieting, endurance or even health maintenance, companies must carefully traverse the growing maze of regulation, the shift toward transparent practices and data minimization, all while providing innovative products for their customers.
A peak into the privacy policies and terms and conditions of different companies that market CGMs shows these companies typically collect, process and store data on a consent basis that furthers their legitimate business interests and allows them to provide services to their customers. Some companies have specifically outlined their policies in relation to the MHMDA or other applicable consumer laws to demonstrate their company's compliance more clearly. Interestingly, while many privacy policies are clear that the data representing the metabolic responses of a person is protected health information under HIPAA or consumer health laws, the processed data derived or extrapolated from other information — or data not explicitly defined as consumer health data — is also used by some companies for various internal business purposes. This includes a company's ability to use inferences it draws from a particular consumer's health data, even if the metric itself is not used.
On 5 March, the U.S. Food and Drug Administration cleared the first over-the-counter CGM for marketing, greenlighting the products' sale in the U.S. without a prescription. In its news release, the FDA highlighted how this marketing would allow access to CGM for "users without diabetes who want to better understand how diet and exercise may impact blood sugar levels." This access was emphasized by subsequent approval of CGMs "designed for general consumers who are looking to improve their overall health and wellness" rather than for managing diabetes.
With the growing popularity of CGMs and other health technology, regulators may find themselves behind the curve in their attempts to curtail the wave of technology that is quickly changing the landscape of health, fitness and nutrition, and industries may face yet another patchwork of state-by-state regulations. Similarly, although the technology may outpace regulation for a time, organizations developing and introducing wearable health technology to the marketplace must be cautious. Increasingly overlapping regulations and sector-specific laws will require thoughtful navigation for organizations. From principles of data minimization and other Fair Information Practice Principles to the Federal Trade Commission's business guidance resources, organizations should be aware of the support available to navigate the sometimes-opaque abyss innovators encounter in a new marketplace and to help them hold best practices at the forefront of their development and engineering decisions.
Cheryl Saniuk-Heinig, CIPP/E, CIPP/US, is a research and insights analyst at the IAPP.
