Why does a step-counting app distributed by your employer need access to your contacts? In most cases the honest answer is that it does not. The less honest answer is in the privacy policy, somewhere around clause eleven, framed as personalization. The fitness data alone is already more revealing than people realize: a continuous step trace tells anyone reading it where you live, where you work, and roughly when you sleep. The fix is small. Open the app permissions and remove what the function does not require.

The pitch

A free fitness tracker arrives in a cheerful box, accompanied by an email that talks about community, well-being, and a discount on next year’s health premium. The framing is consistent across industries: the employer wants a healthier workforce, and the wearable is a tool to help you get there. The program is voluntary, the HR memo says, and participation is entirely your choice. The discount, however, can reach thirty percent of the cost of coverage under rules the Equal Employment Opportunity Commission finalized in 2016. That is not a small nudge. When the alternative is paying hundreds or thousands of dollars more for the same plan, the word “voluntary” starts to bend.

What they collect

The device captures steps, heart rate, sleep duration, and sometimes GPS traces. The companion app may ask for access to your phone’s motion sensors, contacts, and calendar. The privacy policy—if you can find it—often lists data categories in language broad enough to cover anything the sensor can measure. A heart-rate log, combined with step cadence and location, can infer stress levels, commute patterns, and even the onset of a condition before you have discussed it with a doctor. The employer typically does not see the raw feed. A third-party wellness vendor does. That vendor aggregates the data, scores it, and sends a summary back to the employer: participation rates, aggregate step counts, maybe a “health risk” flag. The boundary between aggregate and individual is thinner than the marketing suggests, especially in small offices where a single outlier is easy to spot.

What they don't tell you

The EEOC rejected a proposal that would have let employees avoid sharing medical information if they could show they were already under a physician’s care. The agency’s reasoning, as documented by the Electronic Frontier Foundation, was that such an exemption could undermine the data-collection purpose of wellness programs. That purpose is not always your health. The economics of many programs depend on selling de-identified—or pseudonymized—data to insurers, research brokers, or analytics firms. The FTC has noted that companies making privacy promises, even implied ones, must honor them, but the enforcement landscape is patchy. A 2019 randomized study across twenty BJ’s Wholesale Club worksites found that wellness programs produced no significant improvement in health outcomes or healthcare spending over eighteen months. If the clinical benefit is that thin, the data flow becomes the product.

What the welcome packet does not mention is that the same data stream can route your step count and heart-rate variability toward a risk model that prices your future coverage. The Health Insurance Portability and Accountability Act generally does not apply to wellness programs offered directly by an employer unless the program is part of a group health plan, and even then, the privacy protections are narrower than people assume. The FTC’s Health Breach Notification Rule covers some vendors, but it triggers only after a breach, not before the data is sold.

Your move

Before you sync the device, find the privacy notice. It is probably not in the app. Check the employer’s benefits portal, the vendor’s website, or the PDF that came with the enrollment link. Look for the words “sell,” “share,” “de-identified,” and “third party.” If the policy says data is shared with “affiliates” or “partners,” assume that means brokers and analytics firms. Ask your benefits administrator three questions: who is the data controller, what specific data points leave the vendor’s servers, and whether you can opt out of data sharing without losing the discount. The FTC’s best-practices guide for health-app developers says privacy policies should not be copied from another app and should be accessible on a computer screen, not just a phone. If the policy you are given fails that test, treat the program accordingly.

If you decide to participate, open the app permissions immediately and revoke anything the function does not require. A step counter does not need your contacts. A sleep tracker does not need your location. Turn off background data collection when the device is not in active use. Check whether the app offers an in-app privacy dashboard; if it does, set every sharing toggle to the most restrictive position. The discount may be real, but the cost of handing over a continuous biometric log is paid in a currency that does not appear on the pay stub.