The Journal
PrivacyJanuary 13, 2026 7 min read

HIPAA, GDPR and Your Bathroom Data

What data-protection laws actually mean for consumer health devices — and the questions they should prompt you to ask.

Glowing teal shield of light over a data vault

HIPAA and GDPR shape how health data can be handled, but consumer devices sit in a nuanced space. Knowing the basics helps you ask the right questions.

What the frameworks cover

GDPR grants strong rights over personal data — access, deletion, portability and consent. HIPAA governs protected health information in specific US contexts. Consumer devices may not automatically fall under HIPAA, which makes a vendor's own commitments crucial.

GDPR
data rights
HIPAA
US health data
Consent
explicit
Deletion
and portability

Questions to ask

Where is data stored and processed? Can you exercise deletion and portability rights? Is consent explicit and revocable? Strong vendors welcome these questions.

  • Access and portability rights
  • Deletion on request
  • Explicit, revocable consent
  • Vendor commitments beyond law
LUXOSMT treats every share as an explicit, revocable decision.

Beyond compliance

The best products exceed the legal minimum, treating privacy as a design principle rather than a checkbox.

Keep reading