Fitbit Web API User Data and Health Research Policy
Last revised on May 18, 2022
Effective as of August 16, 2022
Fitbit’s Platform Terms of Service, Platform Developer and User Data Policy, and Developer Guidelines are dedicated to protecting privacy and security while facilitating health and fitness research. Fitbit Web APIs may only be used for human subjects research, referred to as health research in this policy, if the research is submitted for review, reviewed or approved by an independent board whose aim is 1) to protect the rights, safety, and well-being of participants and 2) with the authority to scrutinize, modify, and approve human subjects research. Independent boards include an Institutional Review Board (IRB) detailed in 45 C.F.R. §§ 46.101-115, an Ethics Committee (EC) detailed in Directive 2001/20/EC or Directive 2005/28/EC, or another entity adhering to substantially similar requirements (“Review Board”).
Fitbit approved applications and web services using the Fitbit Web API for health research will be labeled Health Research Applications or Health Research Web Services and collectively referred to as the “Health Research Applications and Web Services”. “You” and “your” as used herein refers to these Health Research Applications and Web Services. In the event of a conflict between this policy or any other terms with regard to accessing user data, this Health Research Policy controls for Health Research Applications and/or Web Services.
Health Research Applications and Web Services:
- Are responsible for obtaining approval or waiver from a Review Board;
- Must comply with the below policy, the
Fitbit Platform Developer and User Data Policy except as otherwise stated herein, and other applicable Fitbit policies, including the Fitbit Fitbit Platform Terms of Service; and, - Must comply with any applicable federal and state laws and regulations, including, the California Consumer Privacy Act, HIPAA, GDPR, the Common Rule, the FDA regulations on the protection of human subjects.
It is your responsibility to monitor and ensure your compliance with these conditions on a regular basis. If, at any time, you cannot meet these conditions (or if there is a significant risk that you will not be able to meet them), you must immediately stop using our services. We also reserve the right to deny or revoke your authorization for health research if you do not comply with this policy or we have reasonable concerns about your compliance with this policy.
Health Research Attestation
Health Research Applications and Web Services must submit:
- A completed intake form
- IRB/EC (or substantially similar equivalent) Approval/Waiver Letter
- IRB/EC (or substantially similar equivalent) Accreditation
- Exact data requested and rationale for use
Determine Eligibility for Health Research
Health Research Applications and Web Services must confirm the eligibility of a participant before obtaining informed consent and requesting permission to access participant’s data.
Transparent and Accurate Notice and Control for Health Research
After confirmation of eligibility, you must comply with the Fitbit Developer and User Data Policy’s Transparent and Accurate Notice and Control section.
In addition, Health Research Applications or Web Services must provide a disclosure via a dialogue box or incremental dialogue boxes that include/s:
- The nature, purpose, and duration of the research;
- The risks and benefits to the participant;
- The privacy, security, and data handling measures in place to protect the data;
- The point of contact for any questions;
- The retention period(s) for data collected for the study;
- How to withdraw from the study;
- How to delete one’s data from the study throughout the lifecycle of the study, including whether the study permits deletion after the data becomes accessible to the public; and,
- Any other relevant documents or information required by your IRB/EC.
You must also provide an option for the participant to save, store, or email the above information, the Informed Consent documents, and any other documents required by the IRB/EC. Each participant must sign and submit the required disclosures and consents prior to participation in the study. It’s recommended that a copy of all signed documents be sent to the participant.
Health Research Applications and Web Services will follow the FDA’s Use of Electronic Informed Consent Questions and Answers, or substantially similar standards. For example, you might include plain language in your explanations with diagrams/infographics and you might ask participants to correctly answer questions about the health research prior to their enrollment.
Limited Uses of User Data for Health Research
Health Research Applications or Web Services must comply with the below requirements. These requirements apply to the participant data, the processed data obtained from the Fitbit Web API, and data aggregated, anonymized, or derived from the processed data.
- Limit your use of participant data to its intended purpose for collection.
- Immediately de-identify participant data to the greatest extent possible for your study.
- Do not use or share participant data with third parties for new research studies, or for any purpose different from the original study purposes, without obtaining a separate informed consent from participants, unless the IRB explicitly waives the requirement for separate informed consent.
- Do not use or share data with members of your team who do not have a genuine need to know.
- Only transfer participant data to third parties:
a. If necessary to pursue the original research purpose and the third parties are bound to limit its access and use of the participant data to fulfilling that purpose;
b. If the participant granted explicit consent to share specific data; for example, in the signed Informed Consent document presented to the participant;
c. if necessary for security purposes (for example, investigating abuse); or,
d. to comply with applicable laws or regulations.
All other transfers, uses, or sale of participant data is expressly prohibited, including:
- Transferring, selling, or using participant data for serving ads, including contextual, retargeting, personalized, or interest-based advertising.
- Transferring or selling participant data to third parties like advertising platforms, data brokers, or any other information resellers.
- Transferring, selling, or using participant data to determine credit-worthiness or for lending purposes.
- Transferring, selling, or using the participant data with any product or service that may qualify as a health device pursuant to Section 201(h) of the Federal Food Drug & Cosmetic (FD&C) Act if the participant data will be used by the health device to perform its certified function.
- Transferring, selling, or using participant data for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) unless received by you under a valid HIPAA Authorization that was reviewed by an IRB or EC, as applicable.
An affirmative statement that your use of the data complies with the Limited Use restrictions must be disclosed in your application or on a website belonging to your web-service or application; for example, a link on a homepage to a dedicated page or privacy policy noting: “The use of information received from Fitbit Web APIs will adhere to the Fitbit Web API Health Research Policy, including the Limited Use requirements.” If you are unable to add a disclosure, then your app’s privacy policy must comply with the requirements outlined in this policy. This option might make the review time for your app longer.
Secure Data Handling Recommendations for Health Research
Health Research Applications and Web Services must comply with the Fitbit Platform Developer and User Data Policy’s Secure Data Handling section. Health Research Applications and Web Services are also recommended to follow best practices recommended by the U.S. Department of Health and Human Services, U.S. Food and Drug Administration regulations, or ICH Good Clinical Practice Guidelines, like applying for a Certificate of Confidentiality from the National Institutes of Health, which may protect data from compelled disclosure to third parties.
Publishing Data
Health Research Applications and Web Services may choose to publish the results of their research, but may not suggest that Fitbit approves of the study design, scientific validity of the research, or otherwise endorses the study findings unless provided in writing by Fitbit. Health Research Applications and Web Services must comply with the relevant laws and regulations as well as the following requirements if you plan to publish your research, or make it publicly available in any form:
- Notify Fitbit for the study’s inclusion in the Fitbit Publication Library.
- If applicable, we encourage you to register your study in a public registry; for example, clinicaltrials.gov.
- Publicly disclose the source of the information.
- Refrain from publishing individual data that may be identifiable. Good
practices for re-identification risk mitigation include:
a. Wherever possible, provide summary-level aggregate data rather than individual-level de-identified data.
b. If you must share individual-level de-identified data, instead of publishing the data publicly, provide it selectively to others only for purposes of peer review, subject to contractual commitments by the recipient not to disclose or attempt to re-identify the data.Fitbit Platform Developer and User Data Policy help center article.
c. If you must publish individual-level de-identified data, you must do so in compliance with all applicable laws and at a minimum, use an accepted de-identification technique, like differential privacy, to preserve confidentiality, or obtain an expert determination that the risk of re-identification is very small.
Please refer to the Fitbit Web API Health Research Policy help center article for more information.