To my knowledge, there have been no legal cases brought forth to date in the U.S. over the collection of fitness tracker data by employers, although it would not be at all surprising if they arise, given the momentum behind employee wellness programs and the embrace of self-quantification devices by individuals. The outcome of such cases would likely turn upon which state the case was developed in, since some states, such as California, are more sympathetic to arguments that consents, whether in the consumer or employment context, can be invalid if there is a profound imbalance in bargaining power between the parties involved.
On an interesting side note in the Dutch case, local media identified one of the companies as BeBright, a consultancy that had handed out the bracelets to its staff. When asked about the decision, the company said it wasn’t going to quibble with the judgment, since it is the Authority’s role to “investigate where the line is.” Contrast this stance with the common position of U.S. tech giants, such as Google, who all too frequently respond to enforcement actions initiated by DPAs by contending that they are in full compliance with national data protection legislation and look forward to the opportunity to prove this in court. Granted that the enforcement actions they face have more far-reaching consequences for their business models and profits, such arguments are so specious as to be little more than testimonies to their ability to exploit the current weaknesses in the enforcement powers of European DPAs. We will have to see if they continue to be advanced when the sanctioning powers of the DPAs are dramatically strengthened under the General Data Protection Regulation.