Whoop Health Privacy Lawsuit Alleges Unauthorized Data Sharing

Whoop Inc., the maker of popular wearable fitness trackers, is facing a proposed class action lawsuit over allegations that it shared sensitive personal health data and in-app activity with a third-party tracker without user consent.

The lawsuit, a potential flash point for concerns about privacy, data security, and transparency in the booming wearable technology market, comes shortly after Health Secretary Robert F. Kennedy Jr. said wearables are central to his public health agenda.

What to Know:

• Whoop allegedly shared personal health data—including heart rate, sleep patterns, stress levels, reproductive health metrics, and video viewing history—without user consent
• The lead plaintiff filed the lawsuit seeking to represent national and California classes
• While wearable devices can provide numerous health benefits, the Whoop lawsuit underscores ethical and privacy concerns associated with data collection and sharing
• RJK Jr. recently stated he wants every American using a wearable health device
• Milberg attorneys, experienced in privacy and consumer litigation, represent the plaintiff and class members

What Is Whoop?

Whoop has been in the wearable fitness market since 2012. Unlike other popular devices such as Fitbit or Apple Watch, WHOOP markets itself less as a gadget and more as a subscription-based performance system. It’s hardware, a wearable strap, is bundled into a service that costs anywhere from $199 to $359 per year, depending on the tier—One, Peak, and Life—each offering increasingly detailed health insights.

In return for an annual subscription fee, users receive the strap and access to the app, which delivers personalized health insights, recommendations, and coaching.

The strap itself has no display. It quietly tracks data 24/7 and syncs it to the app. Whoop markets this “invisible” approach as a way to help users improve sleep, recovery, and performance without the distraction of constant screen-checking. The app also tracks which educational videos users watch, including guided meditations and breathing exercises.

Whoop collects a wide range of metrics, including:

• Heart rate and heart rate variability
• Respiratory rate and blood oxygen (SpO2)
• Skin temperature
• Sleep cycles and disturbances
• Stress levels
• Recovery scores
• Reproductive and hormonal metrics for women

Higher-tier subscriptions unlock more advanced features, like blood pressure monitoring, ECG readings, and AFib detection.

Whoop Accused of a ‘Whoops’ With User Data

Whoop markets itself as “revolutionizing the way that people understand their bodies” and providing “unprecedented visibility into the relationship between physiology and performance.”

But according to Plaintiff Steven Lomeli, in a complaint filed in U.S. District Court for the Northern District of California, the visibility of his personal health data to an undisclosed third party, unbeknownst to him and other Whoop users, is at issue with the wearable.

Consumers were never informed that their personal health data and video watching history would be disclosed to an unknown third-party nor did they consent to such a disclosure.

“WHOOP embedded a third-party tracker called Segment into its mobile app that allows Segment to collect consumer data from the WHOOP app,” states the complaint. “WHOOP discloses to Segment personal information on Plaintiff and the Class including their full name, email address, height, weight, birthday, city, gender, username, and information about their mobile devices.”

WHOOP also discloses consumers’ vitals, such as their heart rate, and the titles of videos they have watched and/or requested from the WHOOP app, which includes their full name and email address, to Segment without notifying users or obtaining consent, the complaint alleges.

Lomeli claims these actions violate the Video Privacy Protection Act (VPPA) and the California Medical Information Act (CMIA). He seeks to represent a nationwide class of U.S. residents who watched videos in the Whoop app over the past two years, as well as a California class of Whoop members.

The complaint seeks injunctive relief, damages, disgorgement of profits, and attorney fees for Lomeli and class members, who are represented by Heather M. Lopez of the firm’s Beverly Hills office.

A Digital Health Tracker on Every Wrist?

Whoop’s use of the subscription model that has become popular in industries like streaming and software, and promises an improved and personalized customer experience, allows the company to monetize ongoing access to users’ health data. But the continuous, detailed health tracking model that powers Whoop also raises privacy concerns.

The Whoop health privacy lawsuit challenges whether the company has been transparent about how it uses and shares sensitive health information. It’s a question relevant not only to Whoop’s practices, but to the wearable technology market as a whole, which has gained in popularity among an increasingly health-conscious public and even garnered the attention of top health officials.

Nearly 1 in 3 Americans uses a wearable device, like a smart watch or band, to track their health and fitness. More than 90% say that they would be “somewhat” or “extremely” interested in sharing their personal health information with a healthcare provider, according to a recent study. A majority are also willing to share their health data with family and friends, while approximately 35 to 50% would share this data with medical researchers.

HIPAA protects health data used by a covered entity (e.g., a provider or insurer). But when a consumer enters data into a health app or uses a wearable to track health metrics, their data isn’t subject to HIPAA.

One study found “general, yet conditional public support” for sharing personal health data for third-party or secondary use depending on factors that include transparency and individual control over who has access to what data and for how long. It notes that there have been “a series of high-profile data sharing scandals” and that “data privacy, security, and management concerns” were the barriers most often identified as affecting public willingness to share personal health data.

Specific data privacy and security concerns identified in the study include confidentiality breaches, unauthorized or unknown data access, data misuse and abuse, data or identify theft and fraud, and unauthorized data uses that could result in new harms that cannot yet be foreseen.

Data privacy and protection issues surrounding wearable digital health technology have gained attention after HHS Secretary RFK Jr. stated in June that these devices are central to his “Make America Healthy Again” agenda.

Politico reported in June that Kennedy wants every American using a wearable health device within four years. Speaking at a hearing of the House Energy and Commerce Subcommittee, Kennedy said that the agency he oversees is preparing “one of the biggest advertising campaigns in HHS history to promote wearables.

“It’s a way people can take control of their own health,” Secretary Kennedy said. “They can take responsibility.”

However, Brown University cautions that wearable device data is often stored in the cloud and could be sold to companies, advertisers, or researchers without someone’s knowledge or consent and is associated with a high risk of data breaches and identity theft.

“I am fully aware of the dangers mass data collection poses to personal freedoms, and I do not advise anyone to purchase a wearable that does not provide ironclad privacy protections,” Kennedy told Axios.

Milberg Is Leading the Data Privacy Fight

Milberg pioneered federal class action litigation and is one of the top privacy and cybersecurity firms in the country. As digital threats evolve, we evolve alongside them to make sure data collectors like Whoop respect privacy and maintain transparency about how data is used.