What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://www.onepeloton.com/privacy-policy', 'difficulty': 'MODERATE', 'action_type': 'EXPORT_DATA', 'instructions': "Submit a data access request through Peloton's privacy portal to receive a copy of all fitness and health data collected about you. California residents and EU/UK users have statutory rights to this data.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has increasingly pursued enforcement actions against health data companies for sharing sensitive fitness and health data without adequate consumer consent, under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'State_AG', 'reason': 'State AGs in California and Washington have specific statutory authority to enforce consumer health data protection laws including CPRA and the Washington My Health MY Data Act.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Health and Fitness Data Collection clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Health and Fitness Data Collection — Peloton

Share 𝕏 Share in Share 🔒 PDF

What it is

Peloton collects detailed data about every workout you do — including heart rate, calories, cadence, and resistance — and can share that information with third-party companies that help run Peloton's services.

Consumer impact (what this means for users)

Every workout you complete on a Peloton device generates detailed health and fitness data — including heart rate and calories — that Peloton collects and may share with third-party vendors, creating potential exposure of sensitive health indicators beyond your control.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Export Your Data

Submit a data access request through Peloton's privacy portal to receive a copy of all fitness and health data collected about you. California residents and EU/UK users have statutory rights to this data.

Cross-platform context

See how other platforms handle Health and Fitness Data Collection and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Your fitness and health metrics are among the most sensitive personal data categories, and their sharing with third parties creates privacy risks including potential use for insurance, employment, or health assessments beyond your fitness context.

View original clause language

When you use our Services, we may collect information about your workouts, fitness metrics, health indicators, and physical activity including heart rate data, cadence, resistance levels, distance, calories burned, and other performance metrics. This information may be used to personalize your experience, improve our Services, and may be shared with third-party service providers who assist in the operation of our platform.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision implicates GDPR Art. 9 (special categories of personal data — health data requires explicit consent), CCPA/CPRA §1798.121 (sensitive personal information — health and fitness data requires opt-in for sharing), Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) if biometric identifiers are captured, Washington My Health MY Data Act (2023) which broadly covers consumer health data regardless of HIPAA coverage, and HIPAA 45 C.F.R. Parts 160/164 (Peloton is not a covered entity but the 'HIPAA-adjacent' nature of the data creates reputational and regulatory risk).

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has increasingly pursued enforcement actions against health data companies for sharing sensitive fitness and health data without adequate consumer consent, under FTC Act Section 5.
File a complaint →
State AG

State AGs in California and Washington have specific statutory authority to enforce consumer health data protection laws including CPRA and the Washington My Health MY Data Act.
File a complaint →

Provision details

Document information

Document

Peloton Terms of Service

Entity

Peloton

Document last updated

April 29, 2026

Tracking information

First tracked

April 27, 2026

Last verified

April 27, 2026

Record ID

CA-P-003558

Document ID

CA-D-00219

Evidence Provenance

Source URL

https://www.onepeloton.com/terms-of-service

Wayback Machine

View archived versions →

SHA-256

c5b72ce6bff78fb2f65204125ae822c89db06c36e1d38034329bab78083bd877

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Peloton | Document: Peloton Terms of Service | Record: CA-P-003558
Captured: 2026-04-27 14:32:49 UTC | SHA-256: c5b72ce6bff78fb2…
URL: https://conductatlas.com/platform/peloton/peloton-terms-of-service/health-and-fitness-data-collection/
Accessed: May 2, 2026

Classification

Severity

High

Health and Fitness Data Collection