Whoop and Oura Sued: Fitness Bands Leak Biometrics

The Whoop case alleges that the Whoop band's companion app forwards a "treasure trove" of personal and biometric data to a third party data pipeline operated by Segment, including full name, email, height, weight, birthday, gender, city, username, mobile device identifiers, vital signs, overall health profile, and titles of any videos the user viewed in the app. The Oura case challenges the company's biometric data retention policies under Illinois BIPA — alleging that fingerprint adjacent biometric readings keep flowing to Oura's servers even after a user deletes their account.

Key Takeaways

• Whoop, Inc. is defending a federal class action alleging its app shares biometric and health data with Meta and Google advertising SDKs and the Segment analytics platform without user consent.
• Oura faces a separate class action in the Northern District of California alleging indefinite retention of biometric data even after account deletion, in violation of the Illinois Biometric Information Privacy Act.
• Illinois BIPA permits statutory damages of up to $5,000 per intentional violation, with over 107 BIPA class actions filed in 2025 alone.
• The Whoop case adds claims under the California Invasion of Privacy Act, the Confidentiality of Medical Information Act, and the federal Video Privacy Protection Act for sharing video viewing history without consent.
• If a settlement is reached, plaintiff payouts are projected at $25 to $400 per class member — but the long term cost to Whoop and Oura is the disclosure obligation each new ruling forces on the wider wearables industry.

What Whoop Is Accused of Doing

According to the complaint, Whoop embeds a Segment SDK inside the Whoop companion app. Segment is a customer data platform that aggregates analytics events from a client app and fans them out to whichever downstream destinations the client has configured — Meta's Conversions API, Google Ads, Mixpanel, internal data warehouses, and so on. The plaintiffs say the data Whoop forwards through that pipeline includes far more than a sanitized analytics event. It includes vital signs measurements, health profiles, and content viewing history.

If true, that creates two distinct legal exposures. The first is wiretapping. The California Invasion of Privacy Act treats unauthorized interception of communications as a strict liability tort, and federal courts have applied it to website session replay and SDK based data forwarding multiple times over the last three years. The second is the federal Video Privacy Protection Act, which prohibits sharing a person's video viewing history without written consent — a statute originally written to protect 1980s VHS rental records that has found new life in the world of streaming apps.

Why Oura's BIPA Exposure Matters

Oura's ring uses optical sensors and a photoplethysmography readout to derive heart rate, heart rate variability, blood oxygen, and temperature trends. The plaintiffs argue that this readout, in combination with usage patterns, is biometric identifier data under BIPA — a category for which Illinois requires written informed consent before collection, and a written retention and destruction policy that the company actually follows.

The retention question is the part that makes BIPA dangerous to defendants. Illinois law requires biometric data to be destroyed when the original collection purpose has been satisfied, or within three years of last interaction. A plaintiff who can show that biometric data persisted on company servers years after the user deleted their account moves the case from "no harm" to "intentional violation" — and intentional violations carry the $5,000 per person ceiling, not the $1,000 negligent ceiling.

Where This Fits in the 2026 Privacy Litigation Surge

BIPA filings hit a record 107 plus class actions in 2025 and the 2026 pace looks higher. The pattern is consistent: a privacy plaintiffs' firm identifies a feature in a popular app that touches biometric, video, or health data, then files in Illinois (BIPA), California (CIPA, CMIA, CCPA), or Washington (My Health My Data Act) depending on which statute fits the facts best. Each new ruling that survives a motion to dismiss lowers the cost of the next filing.

For context on how aggressive the FTC has become on biometric and tracking enforcement, see our coverage of the FTC's Cox Media Group active listening settlement and the FTC Kochava location data broker ban. For an academic look at how few signals it takes to fingerprint a person from their everyday device data, see the four most visited websites browsing fingerprint study.

What Wearable Users Can Do

• Read the wearable app's privacy disclosure with the assumption that "analytics partners" includes a path to Meta and Google ad targeting. The default sharing settings rarely match a privacy oriented user's preferences.
• Turn off optional data sharing toggles, in app personalized advertising, and any "improve our products" telemetry. These cover the most aggressive collection paths in most wearable apps.
• If you live in Illinois, Washington, or Texas, your state biometric law gives you statutory rights to demand deletion. Use them.
• Check whether your wearable app has the same kind of email subscription that quietly routes you onto a marketing automation platform — those platforms are exactly the systems that drop tracking pixels into the welcome emails you get next.

Why This Matters Beyond the Wearable Aisle

The same SDK pipeline that ships Whoop heart rate data to Segment ships your email address to a marketing automation platform, then onward to the email service provider that drops tracking pixels in every newsletter you receive. The wearables litigation matters because it forces the underlying data flow into open court — and the open court record is where the rest of the consumer data ecosystem learns what it has been doing wrong.