Smartwatch and smart ring privacy sits in a legal grey zone for most consumers: the data your device collects on your heart rate, sleep, and fertility is almost certainly not protected by federal law, and what protections exist depend heavily on which state you live in and which company made your device.
More than 560 million people worldwide now own smartwatches, including more than 1 in 4 Americans, according to Statista. Yet the United States has no federal privacy law covering consumer health data collected by wearables. HIPAA, the Health Insurance Portability and Accountability Act passed in 1996, does not apply to wearable manufacturers, which are not classified as covered healthcare entities.
Smartwatch and Smart Ring Privacy in a Regulatory Vacuum
At least 20 comprehensive state privacy laws have been enacted since California passed the California Consumer Privacy Act in 2018, according to ArentFox Schiff. New laws in Indiana, Kentucky, and Rhode Island took effect in 2026, pushing the total above that figure, per MultiState. California also expanded its data broker registration law (CA SB 361) in 2026 to require brokers to disclose whether personal data is sold to foreign actors, government bodies, or generative AI developers.
The result is a patchwork: consumers in states with strong laws can access, delete, and opt out of the sale of their data; those elsewhere often cannot. Maryland’s law, which covers data processing activities beginning 1 April 2026, illustrates the variation in enforcement teeth: fines run $1,000 for a first violation and $5,000 for each subsequent violation, according to ArentFox Schiff.
‘Consumers are increasingly interested in downloading, accessing, and using their health data for fitness, or managing their family’s health records, but really have to be sleuths to understand whether or not they are protected based on the state they’re in,’ said Jules Polonetsky, CEO of the Future of Privacy Forum, a nonprofit backed by more than 180 companies and foundations. Polonetsky has led the organisation since 2008 and previously served as Chief Privacy Officer at AOL and DoubleClick. ‘The number one thing we need is a federal privacy law, which includes at least a minimum of health data protection outside of HIPAA,’ he added.
Without that federal baseline, ‘what governs the use and protection, collection and sharing of your personal data and health data in all of these instances is the terms of service and privacy policies,’ said Caitlin Fennessy, vice president and chief knowledge officer of the nonprofit IAPP.
Who Profits From Your Health Data?
A Semantic Scholar-indexed study published in npj Digital Medicine on 14 June 2025 evaluated the privacy policies of 17 leading wearable manufacturers against 24 criteria spanning transparency, data minimisation, user rights, and breach notification. The findings expose wide gaps. High Risk ratings were most common for transparency reporting, where 76% of manufacturers fell into that category, and for vulnerability disclosure (65%). Low Risk ratings were most common for identity policy (94% of manufacturers) and data access (71%).
Google, Apple, and Polar scored best overall; Xiaomi, Wyze, and Huawei scored worst. ‘Our findings highlight inconsistencies in data governance across the industry and underscore the need for stronger, sector-specific privacy standards,’ the paper noted.
The cybersecurity dimension extends beyond data-sharing. A commentary in Nature’s npj Digital Medicine notes that the FDA has acknowledged some connected wearable devices can be hacked, and that at least one cybersecurity-related recall has affected 500,000 devices.
Polonetsky offers a simple commercial test for consumers weighing smartwatch and smart ring privacy trade-offs. ‘If you’re paying a good chunk of money for a watch or a ring and a paid service, they’ve got a significant incentive to keep you happy,’ he said. ‘If it’s free, you really want to look closely and understand where and how someone’s giving you a free service. If they’re not a charitable enterprise or a HIPAA-covered medical provider, somewhere monetization is happening, and it’s probably your data.’
Companies that take privacy seriously tend to make it visible. Fennessy notes that manufacturers building their brand around privacy will typically publish clear, high-level information about whether data stays on the device or moves to the cloud, whether it is end-to-end encrypted, and whether it is shared with third parties. If that information is not publicly accessible, she suggests proceeding with caution.
What You Can Do Right Now
Practical steps for managing smartwatch and smart ring privacy do not require reading the full terms of service. Audit which devices and services your phone is connected to: both Apple and Google expose these connections in their settings. Delete data from any wearable you no longer use, since dormant accounts can be exposed in future breaches. If you feed health data from wearables into an AI tool, check whether that service uses your data for model training and toggle the option off if you prefer not to contribute.
‘Telling people “don’t share sensitive information,” which was pretty good advice a number of years ago, is no longer tenable,’ Polonetsky said. ‘People are finding incredible value in being able to analyze their health records. It’s now about understanding who you’re sharing with, and whether or not you’re using a service that is in the business of monetizing your data.’
The pressure point is federal legislation. Until Congress passes a minimum floor for consumer health data, the gap between a well-resourced manufacturer with transparent privacy practices and one that treats your biometrics as inventory will remain as wide as the gap between the states themselves.