My company (mid size logistics company, around 800 employees) rolled out this wellness initiative back in January through some third party app. HR pitched it as a way to reduce your monthly insurance premium by up to $40 if you hit certain health benchmarks, steps, sleep, hydration logs, the usual stuff.
Seemed fine at first whatever. I had a bit of money saved that I was trying to expand and was trying to be more active anyway so I thought whatever, ill take the discount.
Then last week one of the IT guys who was configuring MDM profiles noticed the app has location permissions set to always on, not just during work hours. He dropped it in the team Slack and within like 2 hours the message got deleted by a manager.
Looked into the app's privacy policy myself and buried somewhere around page 11 it says location data "may be collected to enhance your wellness experience and shared with your employer's wellness program administrator."
So basically my company is paying a third party to track where I physically am on weekends, at night, at doctors appointments, wherever, and dangling a $40 insurance discount so we willingly agree to it.
Went to HR and got told "its covered under the consent you agreed to when you enrolled." I never saw any consent form, just an email saying the program was launching and to download the app.
Is this even legal? Feels like it shouldn't be but probably is hidden in some clause nobody reads