Communications Litigation Today was a Warren News publication.

Norway's Consumer Protection Agency Slaps Fitness Wearables Over Privacy Policies

Fitness wristband makers Fitbit, Garmin, Jawbone and Mio might be collecting and sharing more personal data about users' health, activities and locations than needed, potentially violating privacy-related laws, said Norway's consumer protection agency in a Thursday news release. "We fear that this information can be exploited for direct marketing and price-discrimination purposes, and that basic privacy principles are being neglected," said the Norwegian Consumer Council, or Forbrukerrådet. An NCC report analyzed each product's terms and conditions. The council said it's submitting a formal complaint to the Norwegian Data Protection Authority and Consumer Ombudsman for breaking both European and Norwegian consumer, data protection and marketing laws. Besides collecting more data than needed, NCC said, the companies don't fully explain with whom they might share the data or how long it will be retained. They also don't give proper notice about changes to the terms of service, the agency said. Jawbone said in a statement it's reviewing the report but it gets permission from users to share their data, and they can ask the company to delete it. "We want to reassure our users and let them know that we only share their data if they ask us to -- for example to integrate with a 3rd party app," said Jawbone. Fitbit said in a statement it doesn't sell or share data without user permission and tries to use "clear, non-legalese language in our policies" so users understand data collection and use. Fitbit said it was self-certified under Privacy Shield, the trans-Atlantic data transfer arrangement to protect Europeans' personal information. Although Garmin said it disagrees with some unspecified statements in the NCC report, it's working to make some language clearer in its privacy policy, enhancements that will be released in the coming weeks. It said other NCC suggestions will be integrated into data protection practices and policies that will be made in preparation for the general data protection regulation. The company said it doesn't share or sell data to third parties without explicit consumer consent. Mio didn't comment.