How health data gets shared and sold — and what to look for
Health data moves to third parties in ways most people never see. A plain-language guide to how sharing and selling work — and how to evaluate an app before you trust it.
Key takeaways
- Health data from consumer apps can move to analytics providers, advertising platforms, and data brokers — often through routine "partner" arrangements rather than a dramatic sale.
- "De-identified" data is not the same as anonymous; stripped identifiers can sometimes be re-linked to a person.
- A handful of rules, plus a careful read of an app's privacy policy, give you real leverage over where your health data ends up.
Where does your data actually go?
When an app collects health information, the data rarely stays in one place. Several routine pathways move it outward, usually described in a privacy policy under broad terms like "service providers" or "partners":
- Analytics SDKs — third-party code bundled into the app to measure usage, which can transmit data back to the analytics company.
- Advertising platforms — when an app monetizes through ads, identifiers and behavior may flow to ad networks.
- Data brokers — companies that aggregate and resell information, sometimes including health-adjacent signals.
Most of this happens quietly, framed as ordinary product operation rather than a "sale." Vague language in a policy is itself a signal worth noticing.
"De-identified" is not the same as "anonymous."
Why "de-identified" data can still point back to you
Removing your name and email from a dataset feels like erasing you from it. In practice, stripped identifiers can sometimes be re-linked: combined with other data, a pattern of locations, times, or behaviors can narrow down to a single individual. That gap between de-identified and anonymous is where a lot of health-data sharing lives.
The rules that do apply
Even outside HIPAA, several rules constrain what apps can do:
- The FTC has regarded sharing sensitive health information with advertising and analytics platforms, in ways users did not expect, as a deceptive practice or a breach-notification failure.
- State health-data laws, such as Washington's My Health My Data Act, govern the collection and sharing of consumer health data and, in some cases, let people enforce those rights directly.
- Broad state privacy laws like California's CCPA add rights to know about, delete, and opt out of the sale or sharing of personal information.
What gives you leverage
You have more control than the defaults suggest. A few practical levers:
- Read the privacy policy's sharing section — look for who data goes to and why, not just whether it's "protected."
- Use opt-outs and deletion tools where offered, and check what deletion actually removes.
- Prefer apps that commit, in plain language, to not selling data or using it for ad targeting.
Vagueness is itself information. The clearer an app is about where your data does and doesn't go, the more that clarity is worth.
References (4)
- FTC — Health Breach Notification Rule (16 CFR Part 318) — U.S. Federal Trade Commission / eCFR
- FTC — Protecting Consumer Privacy and Security — U.S. Federal Trade Commission
- Washington My Health My Data Act — Washington State Office of the Attorney General
- California Consumer Privacy Act (CCPA) — California Office of the Attorney General
Wellthrive
Get early access to Wellthrive
Join the waitlist for Wellthrive — a nutrition and wellness app for clearer, more practical health decisions.
Get early access to Wellthrive
