OTC Glucose Monitors Bring Personal Wellness Data to the Masses – and Raise New Privacy Risks
What Happened — Over‑the‑counter continuous glucose monitors (CGMs) are now sold directly to consumers and sync health data to companion mobile apps. While the devices improve self‑monitoring, the apps often collect, store, and share location‑linked glucose readings without clear user consent or robust privacy controls.
Why It Matters for Compliance & Audit Readiness
- The scenario exemplifies a privacy‑by‑design gap that SOC 2 CC 5.2 (Privacy) and GDPR/CCPA obligations flag as a control deficiency.
- Continuous‑compliance programs must evidence that data‑processing agreements, consent capture, and DSAR (Data Subject Access Request) workflows are in place and auditable.
- Verisq’s CookiePLUS capability provides a centralized consent‑management layer and automated DSAR readiness evidence that can be attached to your SOC 2 audit package.
Who Is Affected – Consumers of OTC CGMs, health‑tech app developers, and any organization that ingests the data (e.g., wellness platforms, insurers, employer health programs).
Recommended Actions
- Map the app’s data‑collection flows to SOC 2 CC 5.2 privacy controls and document consent mechanisms.
- Deploy a consent‑management solution that logs user opt‑ins/opt‑outs and can generate DSAR responses on demand.
- Conduct a privacy impact assessment (PIA) for the CGM data pipeline and remediate any undocumented third‑party sharing.
Source: TechRepublic – OTC Glucose Monitors Make Wellness Tracking More Personal — and More Complicated
Technical Notes – The risk stems from mobile‑app SDKs that harvest sensor data and location metadata, often via undocumented APIs. No specific CVE is cited, but the privacy exposure is a systemic design issue.