morld logoMorld
avatar

Technology#workplace-wellness#privacy#health-data#employer-surveillance

The Step Counter That Reports to Your Boss

Privacy Watchdog SamPrivacy Watchdog Sam|June 28, 2026|4 min read
The Step Counter That Reports to Your Boss
TL;DR

That free fitness tracker from HR is a data siphon. Employers can see your steps, sleep, and stress patterns, and the law often lets them share it. Read the privacy policy, strip app permissions, and demand a standalone opt-out before you sync.

Why does your employer want your resting heart rate? The wellness program will say it’s about healthy habits, lower premiums, maybe a free wearable. That’s the pitch. The question nobody asks in the enrollment meeting is where the numbers go once they leave your wrist.

The pitch

Wellness programs wrap themselves in benefit language. Step challenges, smoking-cessation coaching, sleep-tracking apps—all at no charge or with a discount on your health plan. The framing is always the same: the company cares about your well-being, and this tool helps you take control. What the brochure leaves out is that the tool is also a sensor pointed inward, and the employer often holds the readout.

What they collect

A step-counting app reveals more than your daily total. A continuous trace of movement tells anyone reading it where you live, where you work, and roughly when you sleep. Add a heart-rate sensor and the data can suggest stress patterns, illness onset, or alcohol consumption. Employers already access health information through background checks, but wellness programs open a new, ongoing stream: whether you’re exercising, losing weight, have really quit smoking, or are succeeding in controlling an anger management problem, as the Electronic Frontier Foundation has documented.

The collection often extends beyond the wearable. Some platforms pull in pharmacy claims, biometric screenings, or health-risk assessments. The privacy policy may mention this in clause eleven, framed as personalization. But the honest answer to whether a step counter needs your contacts is that it does not.

What they don't tell you

The resale question is the one the terms-of-service update buries. Aggregated wellness data is valuable to insurers, research brokers, and third-party analytics firms, and the partnerships that move that data are often disclosed in dense legal prose nobody reads during onboarding. This is legal in most jurisdictions and not, by itself, a scandal. It is, however, a thing the employee should know before agreeing.

The regulatory backstop is thinner than people assume. The Health Insurance Portability and Accountability Act generally covers health providers and health plans, but when an employer operates a wellness program directly, HIPAA may not apply. The Federal Trade Commission can step in if a company makes privacy promises it doesn’t keep—the FTC Act requires living up to express or implied claims—and the Health Breach Notification Rule may kick in if a breach occurs. But no comprehensive federal law stops an employer from seeing your step count or sharing it with a data broker, provided the fine print nods in that direction.

Even the consent mechanisms can be porous. Written permission is supposed to precede background-check health inquiries, yet the exceptions for law enforcement, judicial processes, and administrative needs carve out wide paths around that requirement. In a wellness program, consent is often bundled into the enrollment clickthrough, and the default is sharing, not silence.

Your move

The fix is small. Open the app permissions and remove what the function doesn’t require. If the device offers an option to opt out of data sharing without losing core functionality, take it on day one. Read the privacy policy—really read it—and note the section that describes who the data can be disclosed to. If that section includes affiliates, business partners, or service providers without further limitation, assume the data travels.

Ask the benefits administrator a direct question: who sees the raw data, and can I use the program without contributing to the aggregate pool? A program that truly exists for your health will have a clear, standalone opt-out. One that exists for the data will make you search for it.

FAQ

Can my boss really see my step count?

Yes. If the wellness program is employer-run, HIPAA often doesn’t apply, and the fine print may grant access to raw or aggregated data. Assume they can see it unless you’ve confirmed otherwise in writing.

What’s the worst that could happen with this data?

Wellness data can be sold to data brokers, used to adjust your premiums, or even cited in employment decisions. The FTC can punish broken privacy promises, but the data flow itself is largely unregulated.

How do I opt out without losing the discount?

Ask your benefits administrator for a standalone opt-out that doesn’t require participating in data sharing. If they can’t provide one, the discount is likely the price of your privacy.

Start in MORLD

Strip every app permission that isn’t essential to the device’s core function, and refuse any program that won’t let you say no to data sharing. Your step count is nobody’s business but yours.

References

Back to Blog

Related Articles

Pose Detection Internals: The Stack from Camera to SkeletonTechnology

Pose Detection Internals: The Stack from Camera to Skeleton

A pose detection model running on a phone is three pieces in a trench coat. A camera frame becomes a tensor. The tensor goes through a small neural network that outputs probability heatmaps for around twenty body keypoints. A second pass turns those heatmaps into coordinates the app can use to draw skeletons. Each piece has its own failure mode. Bad lighting destroys the camera frame; loose clothing confuses the model; a crowded background breaks the tracking. This article walks through the sensor, the model, and the app layer, then examines the edge cases where the system gets interesting and the failure modes that reveal its design.

Engineer ZoeEngineer Zoe|4 min|Jun 27, 2026
Time-Series Anomaly Detection Under the HoodTechnology

Time-Series Anomaly Detection Under the Hood

A time-series anomaly detector is three pieces in a trench coat. A sliding window becomes a tensor. The tensor goes through a model that outputs a reconstruction or a forecast. A second pass compares that output to the real signal and flags anything too far off. Each piece has its own failure mode. Trend shifts confuse forecasters; noisy training data pollutes reconstructions; a poorly chosen threshold floods the dashboard with false alarms. This column walks through the layers—sensor to model to decision—and the edge cases where the system gets interesting, because that is where the design choices live.

Engineer ZoeEngineer Zoe|5 min|Jun 13, 2026
The Cloud That Judges YouTechnology

The Cloud That Judges You

What does a voice assistant need with a server farm three states away? The honest answer is more than you think, and less than the marketing suggests. On-device processing is the phrase that gets murmured in keynotes, but the line between local and cloud is a negotiation, not a switch. Apple pitches Private Cloud Compute as an extension of the iPhone’s enclave; Google binds its hybrid AI to data-center architecture that’s secure, sure, but also hungry. The real question isn’t where the computation lives—it’s who gets to examine the question you asked, and what they can infer from the word you chose to whisper. The fix is small. Read the permissions, watch the network indicator, and ask yourself whether the convenience is worth the silhouette you’re drawing in someone else’s logs.

Privacy Watchdog SamPrivacy Watchdog Sam|5 min|Jun 9, 2026