Skip links

Norwegian Consumer Council: Fitness Trackers do not properly protect our data

Report. Fitness trackers have become popular in Norway, with 720.000 sold devices in 2015 alone. The Norwegian Consumer Council (NCC) has released a report investigating how well activity tracking technologies safeguard and handle the fitness data they collect. The short answer is that this data is poorly protected and leaves much to improve.

The report from NCC lists and analyses a list of important aspects of data protection and consumer information. Four popular trackers are analyzed in the report: Fitbit Charge HR, Garmin VivoSmart HR, Mio Fuse and Jawbone UP3. NCC asserts that none of the companies in the report live up to the list of criteria.
NCC state that they have analysed android versions, but suggest that the results will be comparable to those of iOS.

Low scores
Unfortunately, the scores are low across the four trackers, when it comes to the protection of the collected data.
For example, NCC highlights how it’s important to let the user know in advance, in case there are changes in the terms of agreement. You’ll recognize this as the long text that needs to be approved before you can open a new app or piece of software. NCC reports that the companies in question do not warn the customers if the terms of service are changed after the initial approval. This means that the customer says yes to one set of terms of agreement, but then the company can simply change this without notification.
Furthermore, none of the companies delimit their data collection process to the bare minimum. These companies will need some information for the apps to run properly, but NCC highlights how these companies go way further, and essentially collect too much data. This is an alarm bell to the NCC, who believes that companies should never gather more data than what is necessary.
If the companies want to share any of this data with a third party, such as a marketing or advertisement company, then the consumer must be made aware of this. However, NCC shows that this is rarely the case and that the four companies in the report do not properly inform their customers.
Many are aware that our phone and technologies have privacy settings, which we can change. However, few of us actually go through them, or change them. So the question is, which setting is the technology set to, as a default? If the technology is set to sharing, for example with social media, by default, it does not adhere to “privacy by default”. In this report only Garmin and Mio respect this principle.
Generally, these four companies do not do well in the analysis conducted by the Norwegian Consumer Council.

A hope for the future
The Norwegian Consumer Council highlights how the new “General Data Protection Regulation” will take effect in 2018 and should make it easier to work towards a stronger protection of costumer data. As the authors of the book “Data ethics- the new competitive advantage”, NCC believes that a better handling of users’ data will create a greater trust between the costumer and the company, and in turn create a competitive advantage. However, until then the individual user has to consider how they can best protect their sensitive fitness data.

What you can do
The Norwegian Consumer Council has published a short guide showing you how to choose a good provider, as well as how to best protect your data.

  • Check which data the Fitness tracker company collects and how it is shared
  • Decide which permissions you will grant the app
  • Consider which types of data you will share with Facebook and Google (many technologies will give you the option of logging in with Facebook)
  • Not all companies will let you download and easily transfer your data to a new device. As most users change technologies often this could be very important later on.
  • Delete app’s you no longer use
  • Delete your account if you no longer use the fitness tracker

Read more here


Fitness trackers contain various sensors that measure movement. The tracker registers these movements and synchronizes, via Bluetooth, with an app on the phone. The data is then sent to a server, where it is analyzed and returned back to the user, often in the shape of various visualizations.