Texas is suing Google for facial and voice recognition features that capture data from users who have not consented. The Attorney General for the state, Ken Paxton, identified the problematic capture of ‘millions of biometric identifiers, including voiceprints and records of face geometry, from Texans through its products and services like Google Photos, Google Assistant, and Nest Hub Max.’ A similar case from Illinois regarding Google Photos was settled for over $100 million.

Smartwatches specifically are beginning to gather more data and have already been cleared by the FDA to begin analysing heart activity. The users of these features are consenting to the data collection, but what happens when it is in the interest of a company to give access to insurers or employers? This can be used to inform employer decisions, insurance rates, and population marketing of products. It becomes particularly powerful when used in conjunction with other datapoints like name, location, age, and shopping habits to create a profile.

This data does not even need to be intentionally distributed by the company responsible for its collection; many healthcare records have been the target of ransomware attacks or data breaches to varying degrees of success. Some have been released and result in large fines, such as Premera Blue Cross being fined $6.85 million in 2020.

HIPAA in the US and GDPR in the EU set out more stringent requirements for patient privacy. These help to attach real costs to privacy violations and incentivise companies to protect patients.

Companies can limit their liability by having users be responsible for the storage of this data or at least by limiting the timeframe they keep it. It is now more important than ever to pay attention to patient privacy and reward those companies who respect it.