background image blur
background image
  • Blog
    >
  • News
    >
  • Smartwatches Are Failing Basic Privacy Tests

Smartwatches Are Failing Basic Privacy Tests

ina-img
By Contributing Privacy Writer Ina H.
clock icon
Last updated: 15 July, 2026
smartwatches-failing-privacy-tests

Key Takeaways

  • EFF reviewed ten major wearable makers, including Amazfit, Apple, Coros, Garmin, Google, Hume, Oura, Polar, Suunto, and Whoop, and found only Apple and Google currently publish transparency reports on government data requests.
  • Apple Watch is the only mainstream wearable that offers end-to-end encryption, and only for data stored inside the Apple Health app.
  • After inquiries from a journalist, Oura updated its privacy policy in June 2026 and said it's evaluating a future transparency report.
  • Wearable data, including heart rate and step counts, has already been used as evidence in criminal investigations.

Ten Companies, Two Transparency Reports

EFF reviewed Amazfit, Apple, Coros, Garmin, Google, Hume, Oura, Polar, Suunto, and Whoop, the ten companies behind most of the wearables people actually buy. After reviewing every public privacy policy and emailing each company directly, the group's newly published analysis found that only two of them, Apple and Google, currently publish transparency reports showing how often governments request user data.

That is the same disclosure standard email providers and social platforms settled on more than a decade ago. Wearable makers, who now collect heart rate, sleep, and location data around the clock, are only starting to catch up, and most of them have not bothered at all.

Oura is the closest thing to a bright spot in the bunch. After a journalist pressed the company with repeated questions, Oura updated its privacy policy in June 2026 and told EFF it is exploring ways to give users more visibility into how it handles government requests. Suunto gave a similarly noncommittal answer, saying it continuously evaluates its transparency practices. The other seven companies never responded to EFF's questions, and none of them publish anything resembling a transparency report.

Meanwhile, this fits a pattern that has already played out across the rest of the internet, where platforms and advertisers have built systems that collect data without meaningful consent into the default experience. Wearable makers are simply the latest arrivals to a business model that has never needed users to say yes.

The One Watch That Actually Locks Its Own Data

End-to-end encryption means the company storing your data cannot read it, only you can. It is standard in messaging apps like Signal, and Amazon added it to Ring cameras years ago after public pressure. There is no technical reason it could not exist for wearables too, and yet almost none of them offer it.

The Apple Watch is the sole exception, and only for data stored in the Apple Health app. If you sync your Apple Watch to Strava or wear an Oura ring alongside it, that data is not end-to-end encrypted once it reaches those companies' servers. Every other major wearable, including devices from Garmin, Google, Oura, and Whoop, instead relies on encryption in transit and at rest, which still leaves each company fully able to see, store, and use your data.

A handful of Garmin and Polar watches can operate locally without syncing to the cloud, though most models lose functionality without it. Apple Health also lets users disable iCloud sharing entirely, keeping data on-device only, a feature EFF found nowhere else without resorting to third-party workarounds. Companies will point to AI features and social syncing as the tradeoff, and, well, that tradeoff should belong to the user deciding what to install on their own wrist, not the manufacturer deciding it for them by default.

Your Heart Rate Is Already Evidence in Court

Health data pulled from wearables already feeds a broader pattern of using intimate data for law enforcement in ways most owners never anticipated when they bought a fitness ring. Heart rate spikes and step counts have been used to place suspects near a scene or establish a timeline in criminal cases. Surveillance vendor Penlink openly markets fitness trackers and wearables to investigators as an overlooked data source, precisely because movement patterns and physiological changes are so revealing. Law enforcement can request this information through subpoenas or warrants, and without a transparency report from the manufacturer, users have no way to know how often that happens.

None of this requires a hack or a breach. It just requires a company deciding not to tell you.

A smartwatch that tracks your heartbeat, your sleep, and your location has no business operating under weaker privacy standards than the apps on your phone. The companies making these devices know exactly how sensitive this data is, they market it as a window into your health, and then they build none of the safeguards that admission should demand. Apple has shown the rest of the industry that it is technically possible to do better. Every other name on EFF's list has simply chosen not to.


Share on
Facebook share Twitter share Reddit share Linkedin share

Be part of the resistance, quietly.

Get Mysterium VPN Arrow icon
awareness campaign banner img
ina-img
Ina H.
Contributing Privacy Writer

Ina is an occasional contributor covering the overlooked corners of the internet – surveillance, data grabs, and the invisible systems that sometimes know more about us than our friends do.

Read more by this author
© Copyright 2026 UAB "MN Intelligence"