A gym isn't a hospital, and a fitness app isn't a doctor's office. None of them are HIPAA covered entities, so the framing that dominates healthcare privacy doesn't apply here. That fools a lot of fitness and wellness operators into thinking the data they collect is low-risk. The FTC disagrees.
The agency has already fined period-tracking app Flo, ovulation app Premom, and consumer-health company GoodRx for sharing sensitive health information with Facebook, Google, and other platforms. Workout history, body measurements, cycle data, and even which classes you book are the kind of information regulators and state laws now treat as health data. This guide covers how fitness, wellness, and gym businesses run cookie consent without stepping into that trap.
Why fitness data is treated as health data
The rules that reach you don't come from HIPAA. They come from a different stack.
- FTC enforcement. The Premom order and the earlier Flo and GoodRx actions all turned on the same fact pattern: an app promised privacy, then let an advertising SDK or pixel send health details to third parties. The FTC called that an unfair practice and, in the GoodRx case, a violation of its Health Breach Notification Rule.
- Health Breach Notification Rule. The FTC updated this rule in July 2024 to explicitly cover health apps and connected devices that fall outside HIPAA, which is exactly where fitness apps and wearables sit. See the rule text.
- State health-data laws. Washington's My Health My Data Act defines consumer health data broadly enough to reach fitness, biometric, and precise-location signals, and it carries a private right of action. Our MHMD guide breaks down why that one is dangerous.
Where fitness sites leak
The risk isn't spread evenly across your site. A few flows carry most of it.
- Class and appointment booking. A booking page can reveal that someone signed up for a prenatal class, a physical-therapy session, or an addiction-recovery meeting. A marketing pixel on that page ships a health inference to an ad platform.
- Onboarding and goal quizzes. "What's your weight goal? Any injuries? Any conditions?" These intake forms collect exactly the data the FTC cases were about, and session-recording tools can capture every keystroke.
- Wearable and app sync. If your site connects to a wearable or logs workouts, that data is health data, and any analytics tag with access to it inherits the sensitivity.
- Member portals. Progress dashboards, body-composition history, and coaching notes all count.
The pattern to notice: the more useful a page is to your product, the more health signal it carries. Your best-converting quiz and your stickiest dashboard are also your two biggest liabilities, so they need the tightest tracking controls, not the loosest.
The consent posture that keeps you clean
Fitness businesses run in the same US-plus-EU world as everyone else, so you need both models, but the sensitivity of the data raises the bar on both sides.
- Block marketing and session-recording tags on sensitive flows. Keep advertising, analytics, and replay scripts off booking pages, intake quizzes, and member portals until consent, and confirm they don't capture form fields even after consent. Our session-replay guide explains why those tools are the quiet danger.
- Explicit opt-in in the EU and UK. Health data is a special category under GDPR, so consent has to be explicit, not implied by continued browsing. A pre-ticked box or an "accept by scrolling" banner won't hold up, and the data you're collecting is exactly the kind an EU regulator scrutinizes first.
- Opt-out and GPC in the US. Sharing fitness or health inferences with an ad platform counts as sharing or a sale under state laws, so you owe a Do Not Sell or Share path and have to honor Global Privacy Control. Health inferences are sensitive data, which raises the consent standard in most states. See our sensitive-data guide.
Where your product is a mobile app, remember the app collects device IDs rather than cookies, and the same duties attach through SDK consent. Our mobile app consent guide covers that side.
How CookieBeam handles fitness and wellness sites
CookieBeam manages the web consent and script-control layer that keeps tracking away from your sensitive flows.
- Script blocking on booking and intake pages. Marketing, analytics, and session-recording scripts stay blocked until consent, so they can't read a class booking or a health-goal quiz. Booking-engine, cart, and auth cookies keep running so the flow never breaks.
- EU opt-in plus US opt-out from one config. Geo-targeted regional consent runs both models, honors Global Privacy Control, and applies sensitive-data handling to health inferences.
- Scanning across the funnel. The scanner crawls booking, quiz, and portal pages and flags new cookies and outbound connections when a new studio-management or marketing integration drops a tag.
- Durable consent records. Timestamped logs of what each member agreed to, which is the evidence you'd want if the FTC asked how health data left your site.
Checklist for fitness and wellness websites
- Accept that fitness and wellness data is health data under FTC and state rules, even though HIPAA doesn't apply.
- Identify the sensitive flows: class booking, intake quizzes, wearable sync, member portals.
- Block marketing, analytics, and session-recording tags on those flows until consent.
- Confirm replay and analytics tools don't capture form fields even after consent.
- Run EU/UK explicit opt-in and US opt-out, and honor Global Privacy Control.
- Treat health inferences as sensitive data under state law.
- Scan continuously and log consent, since studio-management tools add tags often.