Table 3 Privacy and data security evaluation framework for wearable technologies
Dimension | Criterion | Indicators | Source regulation or framework |
|---|---|---|---|
1. Transparency | User Notification About Third-Party Requests for User Information | 1. User notification for government requests 2. User notification for private requests 3. Disclosure of non-notification scenarios (e.g., legal restrictions) | GDPR Art. 15(1)(g), CCPA 1798.110(c) |
Transparency Reporting | 1. Number of requests by country 2. Request types (stored info, real-time) 3. Accounts affected 4. Legal basis disclosed | Digital Standard, GDPR Art. 12, GDPR Recital 63 | |
Threat Notification | 1. Prompt authority notification for breaches 2. User notification process 3. Breach handling procedures | GDPR Art. 33, CCPA 1798.82, NIST SP 800-61 | |
Identity Policy | 1. No requirement for government-issued ID verification | UN Digital Identity Principles, GDPR Art. 5 (data minimization), OECD Privacy Principles | |
2. Data Collection Purpose | Data Use | 1. Data usage limited to the collection purpose 2. Disclosure of all data uses | GDPR Art. 5(1)(b), OECD Privacy Principles |
Data Collection | 1. Specific data elements disclosed 2. Collection method and timing 3. Inclusion of third-party data | CCPA 1798.110(a), GDPR Art. 13(1)(c), Digital Standard | |
Minimal Data Collection | 1. Commitment to minimal data collection 2. Product functionality without unnecessary permissions | GDPR Art. 5(1)(c) (Data Minimization), Digital Standard, HIPAA Minimum Necessary Standard | |
Privacy by Default | 1. Default optimal privacy settings 2. Targeted advertising off by default | GDPR Art. 25, Digital Standard | |
Data Benefits | 1. Purpose disclosure for each data type | Fair Information Practice Principles (FIPPs), Digital Standard | |
3. Data Minimization | Purpose Limitation | 1. Data collection purpose specified 2. Only necessary data collected | GDPR Art. 5(1)(b), HIPAA |
User Control Over Data Collection | 1. Data collection controls 2. Functionality with disabled non-essential permissions | GDPR Art. 20, CCPA 1798.105, Digital Standard | |
Data Retention | 1. Retention period disclosure 2. Data deletion or anonymization when not necessary | GDPR Art. 5(1)(e), CCPA 1798.105(c), HIPAA | |
4. User Control and Rights | Data Control | 1. Ability to disable or limit data collection 2. Controls via website/app | CCPA 1798.135, GDPR Art. 20 |
Control Over Targeted Advertising | 1. Option to disable targeted advertising | CCPA 1798.120, GDPR Art. 21 | |
Data Access | 1. Disclosure of accessible data types 2. Structured format (e.g., JSON, CSV) | GDPR Art. 15, CCPA 1798.100(d) | |
Data Deletion | 1. Retention period disclosure 2. Easy deletion of non-essential data | CCPA 1798.105(a), GDPR Art. 17 (Right to Erasure) | |
5. Third-Party Data Sharing | Data Sharing | 1. Scope and necessity of data sharing 2. Disclosure of shared data and recipients 3. Disclosure of government sharing | GDPR Art. 5(1)(c), CCPA 1798.115(a), Digital Standard |
6. Data Security | Authentication | 1. Multi-factor authentication available 2. Authentication required per access 3. Brute-force resistance | NIST SP 800-63, GDPR Art. 32 |
Encryption | 1. Transmission and storage encryption 2. Default end-to-end encryption | GDPR Art. 32, HIPAA | |
Known Exploit Resistance | 1. Security against known bugs and attacks | OWASP Top Ten, ISO/IEC 27001, NIST | |
Security Oversight | 1. Internal access limits and monitoring 2. Third-party audits | ISO/IEC 27001, GDPR Art. 24 | |
Security Over Time | 1. Lifecycle communication 2. Automatic updates | NIST SP 800-128, GDPR Art. 32 | |
Vulnerability Disclosure Program | 1. Bug bounty or vulnerability disclosure 2. Timeframe for addressing vulnerabilities | Digital Standard, ISO/IEC 29147 | |
7. Breach Notification | Threat Notification | 1. Prompt authority notification 2. User breach notification and response details | GDPR Art. 33, CCPA 1798.82, NIST SP 800-61 |
