How Fitness Apps Sell Your Health Data Without Consent
February 12, 2025
Your fitness tracker knows more about you than your doctor—and it’s selling that data to the highest bidder.
Millions of people track their steps, monitor their heart rates, and log their meals using fitness apps and wearable devices, assuming this data stays private. But behind the sleek interfaces of fitness trackers lies a rapidly growing industry driven by user data sales, where health information is quietly collected, analyzed, and sold to third parties —often without explicit consent.
Unlike healthcare providers, fitness apps face minimal legal restrictions when handling user health data, allowing them to share or sell sensitive information with few limitations.
But the risks go far beyond targeted ads. Could insurers use your fitness data to raise premiums? Could employees use it to evaluate job candidates? As fitness apps become more advanced, their ability to track, monetize, and manipulate personal health data is increasing, often at the expense of user privacy.
This article uncovers how fitness apps collect and sell health data, the hidden consequences of data sharing, and what needs to change to protect users in an era where your steps, heart rate, and calorie intake are just another commodity.
The Fitness Data Economy: Who Profits From Your Workouts?
Your fitness data isn’t just for you—it’s a valuable asset traded behind the scenes. Multiple industries capitalize on user health metrics, including:
- Insurance companies: Health and life insurers analyze fitness data to assess risk profiles. Regular workouts might qualify you for premium discounts, while an irregular heart rate or low activity could justify higher premiums or even policy denial.
- Advertisers & marketers: Your fitness habits help brands push hyper-targeted ads, from supplements to premium workout gear.
- Employers & wellness programs: Some workplaces incentivize employee fitness tracking, using it to adjust healthcare costs. But what happens when a low step count or irregular sleep pattern influences promotions or job evaluations?
- Data brokers: These middlemen collect and resell health data to financial institutions, pharmaceutical companies, and other third parties–often without users realizing it.
How Fitness Data Can Be Used Against You
One of the most alarming examples of fitness data misuse came when Strava, one of the most popular fitness apps, exposed secret military bases by aggregating user heatmap data. Soldiers unknowingly revealed their locations just by tracking their workouts.
While this case involved military security, it highlights a broader issue: If seemingly harmless fitness data can expose classified operations, what risks does it pose for ordinary users when sold to third parties?
Fitness data has far-reaching consequences—shaping everything from insurance premiums to hiring decisions. As data collection becomes more sophisticated, the ability to track, predict, and even manipulate personal behavior is increasing.
How Much is Your Health Data Worth?
In 2023, the health and fitness app industry brought in over $4 billion, with up to 25% of revenue coming from advertising and data monetization. Meanwhile, data brokers trade health records for mere cents per person, with lists of individuals with conditions like anxiety or depression selling for as little as $0.06 per record.
The worst part? Users don’t see a cent of these profits. Once sold, this information is nearly impossible to reclaim, leaving consumers with little control over who ultimately gains access to their private health history.
How Fitness Apps Exploit Legal Loopholes to Sell Your Data
Fitness apps collect vast amounts of personal health data, yet they operate in a regulatory gray area that allows them to sell and share this data without meaningful user consent. Unlike hospitals and healthcare providers, these apps aren’t bound by strict medical privacy laws like HIPAA, leaving users vulnerable to data exploitation.

1. The HIPAA loophole: When health data isn’t legally “medical”
HIPAA protects medical records handled by healthcare providers, but fitness apps aren’t classified as healthcare entities. This means:
- Your step count, heart rate, and sleep data don’t qualify as protected health information (PHI) under HIPAA.
- Wellness and fitness trackers can legally share health insights with third parties without needing explicit user permission.
- Once data is shared with advertisers, insurers, or data brokers, users lose all control over how it’s used or resold.
Because fitness apps collect the same type of data as doctors and hospitals but aren’t held to the same privacy standards, they can monetize health data with minimal oversight.
2. Vague terms of service: Consent without clarity
Most fitness apps bury data-sharing details deep in their terms of service, written in complex legal jargon. This allows them to:
- Obtain broad, vague consent from users who don’t fully understand what they’re agreeing to.
- Change privacy policies without direct user notification, suddenly expanding who they can sell data to.
- Make opt-outs difficult–users often have to navigate multiple settings or even delete their accounts entirely to stop data sharing.
Without clear privacy regulations, fitness apps self-police their privacy practices, often prioritizing corporate interests over user rights. Until stronger data privacy laws are enforced, users remain vulnerable to hidden data sales, third-party tracking, and financial profiling.
What Needs to Change: The Future of Fitness Data Privacy
As fitness apps continue to collect and sell personal health data, stronger privacy protections, regulatory oversight, and user control are needed to prevent misuse.
1. Stricter data privacy laws for health apps
Governments and regulators must close the legal loopholes that allow fitness apps to operate outside traditional healthcare privacy laws. Solutions include:
- Expanding HIPAA protections to include fitness apps and wearables.
- Requiring opt-in consent before health data can be shared with third parties.
- Enforcing stronger penalties for companies that misuse health data.
2. Transparency in data collection and sharing
Consumers deserve to know who can access their health data and how it’s used. Fitness apps should be required to:
- Provide clear, easy-to-read data policies that explicitly list third-party partners.
- Offer real-time data dashboards showing where user data is being sent.
- Notify users before their data is shared with insurers, advertisers, or data brokers.
Without transparency, users remain unaware of how their daily workouts and health tracking contribute to a hidden marketplace.
3. Greater consumer control over health data
Beyond awareness, users should have more control over their health information, including solutions like:
- Data deletion requests—users should have the right to permanently delete their fitness data, similar to the GDPR’s “right to be forgotten.”
- Granular privacy settings—allowing users to choose which data is shared (e.g., step counts vs. heart rate data).
- Independent oversight boards—third-party watchdogs should enforce fair data practices.
4. Ethical business models that don’t rely on selling health data
Currently, many fitness apps make money by offering free services in exchange for user data. A shift toward subscription-based models or privacy-focused alternatives could reduce reliance on data sales.
- Subscription-based models offer a sustainable alternative without monetizing user information.
- Some privacy-first fitness apps, such as Apple’s Health app, store data locally (or sync to iCloud with end-to-end encryption), ensuring privacy. Furthermore, Apple states it does not sell user information.
More companies should adopt privacy-by-design principles, prioritizing user protection over monetization.
Conclusion
The fitness tech industry has revolutionized personal health tracking, but consumers are exposed to data exploitation without stronger privacy protections. Real change requires legal reforms, corporate transparency, and greater user control over personal health data.
Until stricter regulations are in place, every step tracked, heartbeat recorded, and sleep cycle monitored may be sold without your knowledge or consent.