Whoop Sued Over Third-Party Data Sharing Without User Consent

Whoop is facing a class action lawsuit filed by Steven Lomeli, who alleges the company embedded a Segment tracker inside its app and used it to share personal data with third parties without user permission. That data includes personally identifiable information, biometric vitals, stress levels, and video titles viewed inside the app.

The lawsuit cites two specific legal violations: the Video Privacy Protection Act (VPPA) and California's Margot's Identity Act (MIA). The VPPA angle is significant because it covers the disclosure of video viewing history tied to an identifiable person, which carries statutory damages of up to $2,500 per violation.

For Whoop users, this hits differently than a typical data breach. You're not just talking about an email address leaking. This is resting heart rate, HRV, recovery scores, and stress data, the exact metrics Whoop charges up to $30 per month to generate. That's intimate physiological data being sent somewhere you never agreed to.

Compared to Garmin or Polar, Whoop is unique in that it has no one-time hardware purchase. Users pay an ongoing subscription built entirely on trust in that data relationship. Coros and Apple Watch at least give you local data options. Whoop's model is cloud-first, which makes this kind of allegation especially damaging to its core value proposition.

The lawsuit is still in early stages. But if the Segment tracker allegations hold up, Whoop has a serious problem beyond legal fees. Athletes sharing their most sensitive biometrics deserve to know exactly where that data goes.