Open Menu Open Menu

    Featured Health Care Privacy Public Health

    From Sleep Scores to State Surveillance: The Oura-DoD Connection

    Marcela Rivera
    By Marcela Rivera

    Oura Health Oy, the Finnish company behind the wildly popular Oura Ring, has recently announced an expanded partnership with the United States Department of Defense (“DoD”).[i] The news sparked a wave of public concern over the ramifications of government involvement with individuals most intimate biometric data.[ii] Marketed as a lifestyle tool for better sleep and recovery, the Oura Ring collects highly sensitive data such as heart rate, respiratory rate, temperature, blood oxygen, and sleep patterns.[iii] Unlike wrist-based wearables, Oura’s ring placement allows for more intricate measurement, producing an especially personalized profile of its users.[iv]  With Oura projected to hit $1 billion in sales this year, the company has become a dominant player in the wearables industry.[v] Yet, the deeper it integrates with government and defense actors, the more pressing the privacy risks become.

    Oura’s collaboration with the DoD should not come as a surprise.[vi] The partnership extends an ongoing collaboration between the two; tens of thousands of service members already use the Oura Ring and the Naval Health Research Center has tracked members’ sleep and readiness using the device.[vii] The recent expansion, however, goes further. In 2026, Oura will open a Fort Worth, Texas manufacturing facility specifically to bolster its defense partnerships.[viii] To comply with government security requirements, the company will rely on Palantir Technologies, the data-mining giant known for its government contracts, to provide the secure infrastructure.[ix]

    Oura insists that consumer and enterprise platforms are strictly firewalled.[x] The company has pledged never to sell or unlawfully share member data with the government and emphasizes that only service members who voluntarily enroll in DoD programs consent to data sharing.[xi] Yet, Oura’s response has largely consisted of broad assurances while dodging difficult questions about whether shifting legal standards or national security pressures could override company policy.[xii]

    Concerns about commercial wearables typically center on the potential misuse of personal data for advertising or insurance profiling.[xiii] But potential government access raises its own set of distinct concerns that carry greater implications. For instance, national security justifications often expand the state’s surveillance powers while bypassing the procedural safeguards that constrain private actors.[xiv] Thus, while Oura’s current policies appear restrictive, history shows that “trusted boundaries” can be undone by changing laws, executive actions, or internal shifts in policy.[xv]

    Service members face an additional legal wrinkle given that the military justice system recognizes reduced privacy rights for active-duty personnel.[xvi] Courts have affirmed that searches and inspections are judged under “military necessity,” a far more deferential standard than civilian Fourth Amendment review.[xvii] Expanding Oura’s biometric monitoring into this environment may compound the existing loss of privacy for those who already operate under curtailed constitutional protections.

    Thus, the debate surrounding Oura’s expanded partnership highlights a deeper problem: The legal framework protecting individuals’ biometric data in the digital era is inadequate.[xviii] Protections for biometric health data, which refers to information obtained from an individual’s unique physical characteristics, are especially underdeveloped.[xix] Despite the growing concern surrounding biometric technologies, Congress has yet to enact comprehensive federal legislation regulating its collection and use.[xx] Without a federal standard, the country relies on a patchwork of state statutes to fill regulatory gaps, creating inconsistency and confusion for both consumers and businesses.[xxi]

    While an increasing number of states regulate biometric data, most do so indirectly by classifying it as a category within broader privacy statutes, thereby extending those existing protections to biometric data.[xxii] However, a handful of states have enacted laws aimed at protecting the privacy of individuals’ biometric information through targeted legislation.[xxiii] Among such states, Illinois’ Biometric Privacy Act (“BIPA”) is widely regarded as the most demanding biometric privacy statute in the country.[xxiv] Enacted in 2008, the state law prohibits private entities from collecting or possessing individual’s biometric data without first satisfying specific statutory requirements.[xxv] BIPA’s core provisions require entities to provide notice, obtain informed consent, and implement robust data-handling safeguards before collecting, storing, or disclosing biometric data.[xxvi]

    Under BIPA, businesses possessing biometric data must provide individuals with written notice specifying the purpose and length of time for which the biometric information will be used.[xxvii] Additionally, applicable entities must make publicly available a written policy establishing a retention schedule for biometric data and adhere to certain guidelines in destroying such data.[xxviii] BIPA further reinforces public confidence that biometric data will remain secure by requiring private entities to employ industry-standard security measures.[xxix] Finally, the Act distinguishes itself as one of the most powerful biometric privacy statutes in the country by recognizing a private right of action for violations of the law.[xxx]

    Laws like BIPA highlight how current federal legislation has failed to keep pace with the nation’s current realities.[xxxi] Further, the Oura-DoD partnership epitomizes a broader trend of consumer technologies drifting into national security spaces.[xxxii] What began as a sleek lifestyle gadget is now a government performance-monitoring tool. While Oura insists on privacy firewalls, the involvement of Palantir and the broader national security apparatus ensures that public skepticism will remain high.

    That skepticism is only amplified by the relative lack of competition Oura now faces as consumers are left with little choice but to trust the company’s assurances in the absence of viable alternatives.[xxxiii] In August 2025, the U.S. International Trade Commission (“ITC”) ruled in Oura’s favor against competitors Ultrahuman and RingConn, finding that both infringed on the company’s design patents.[xxxiv] Both companies were issued cease-and-desist orders to block their smart ring imports into the United States by late October.[xxxv] Oura has publicly framed the decision as a victory against “dishonest tactics,” but critics warn that its aggressive patent enforcement risks consolidating market dominance.[xxxvi] That concern is compounded by Oura’s subscription-based model that charges users an annual fee to access key health-tracking features; while rivals like Samsung, Ultrahuman, and RingConn offer similar functionality without recurring costs.[xxxvii] The absence of meaningful consumer choice in the smart-ring market might be less troubling if individuals could rely on a robust federal framework to ensure their data remains secure.[xxxviii]

    Thus, Oura’s recent announcement raises a recurring challenge in the digital age concerning the protection of individual privacy when intimate data doubles as a valuable national security asset. The law is lagging behind technological realities as rapid advances in the industry have yet to be addressed by a clear national framework.[xxxix] Without stronger federal protections for biometric data, Americans are left to rely on company promises and fragmented state laws. Oura’s partnerships may improve soldier health and readiness, but it also serves as a reminder that once biometric data is collected, the line between personal wellness and government surveillance can blur quickly.

    [i] Oura Team, Ōura Establishes U.S. Manufacturing to Support Growing U.S. Defense Business, Oura Ring: The Pulse Blog (Aug. 27, 2025), https://ouraring.com/blog/oura-us-department-of-defense [https://perma.cc/FT5A-YYLB].

    [ii] Sarah Perez, Smart Ring Maker Oura’s CEO Addresses Recent Backlash, Says Future is a ‘Cloud of Wearables, Tech Crunch (Sep. 9, 2025, at 08:27 AM PDT), https://techcrunch.com/2025/09/09/smart-ring-maker-ouras-ceo-addresses-recent-backlash-says-future-is-a-cloud-of-wearables [https://perma.cc/6YML-DS7J] (observing that public backlash over Oura’s work with the Department of Defense and Palantir led Oura Ring’s CEO Tom Hale to issue a clarification via TikTok).

    [iii] David Seeley, ‘Smart Ring’ Maker Oura Expands its Defense Manufacturing Operations to Fort Worth, Ft. Wor. Econ. Dev. P’ship (Aug. 28, 2025), https://fortworthedp.com/smart-ring-maker-oura-expands-its-defense-manufacturing-operations-to-fort-worth [https://perma.cc/5GGT-DKTQ].

    [iv] Jordyn Holman, The C.E.O. Who Spends All Day Thinking About Sleep, N.Y. Times (Sep. 28, 2025), https://www.nytimes.com/2025/09/27/business/oura-ring-tom-hale.html [https://perma.cc/68QE-TSMD] (interviewing Oura Ring’s CEO Tom Hale who explained that the device’s “accuracy is a structural advantage of being at the ring and not at the wrist.”).

    [v] Id.

    [vi] Oura Team, supra note i (highlighting the “longstanding relationship” Oura has with the Department of Defense and referring to it as the company’s “largest enterprise customer”).

    [vii] Seeley, supra note iii.

    [viii] Id.

    [ix] Marco Quiroz-Gutierrez, Oura CEO Insists They’ll Never Sell Your Data as Customers Publicly Ditch Rings Over Privacy Fears Tied to Defense Department and Palantir, Fortune (Sep. 9, 2025, at 12:29 PM EDT), https://fortune.com/2025/09/09/oura-ceo-tom-hale-data-privacy-oura-ring-defense-department-palantir [https://perma.cc/UXJ8-T6B3] (noting that Palantir will provide Oura with its FedStart program to fast-track government security clearances).

    [x] Perez, supra note ii (stating that Oura’s enterprise operations are isolated from its consumer platform to prevent data crossover).

    [xi] Oura Team, supra note i.

    [xii] Video posted by Oura Ring (@ouraring), TikTok, Oura Ring: Protecting Your Personal Data Security (Sep. 2, 2025), https://www.tiktok.com/@ouraring/video/7545527826049420575 [https://perma.cc/89BW-BUDL] (assuring customers that Oura will not sell or share user data without explicit consent or authorization); see Sarah Sloat, Oura’s Partnership With the Pentagon is Ringing Alarm Bells for Customers, Slate (Oct. 2, 2025, at 5:45 AM), https://slate.com/technology/2025/10/oura-ring-pentagon-department-of-defense-health-wearable.html [https://perma.cc/NUN7-A76M] (noting that there are “structural limitations” to such company promises and observing that companies can unilaterally change their terms of service as OpenAI did in 2024 to permit military use of ChatGPT).

    [xiii] See Hannah Fry, Health Device Data is Protected, but Also used, Shared, Gov’t Tech. (Nov. 21, 2024), https://www.govtech.com/security/health-device-data-is-protected-but-also-used-shared [https://perma.cc/G6DZ-ZRB8] (reporting a 4000% increase in health-related cybersecurity breaches and attacks from 2019 to 2023).

    [xiv] See Robert Knowles, National Security Rulemaking, 41 Fla. St. Univ. L. Rev. 883, 885 (2014) (explaining that statutes like the Patriot Act and Foreign Intelligence Surveillance Act grant federal agencies broad authority to access and review private electronic data).

    [xv] Sloat, supra note xii.

    [xvi] See United States v. Middleton, 10 M.J. 123, 127 (C.M.A. 1981) (holding that privacy expectations in military society must be assessed in light of the unique demands of military life).

    [xvii] Id. at 128; c.f. Katz v. United States, 389 U.S. 347, 357 (1967) (holding that searches conducted outside the judicial process are “per se unreasonable” under the Fourth Amendment absent narrowly defined exceptions).

    [xviii] See Greg Marcus, Wear Your Heart on Your Sleeve, Whether You Like It or Not: How Federal Regulation Can Address Advances in Biometric Technology, 33 Univ. Mia. Sch. L. 131, 151 (2024) (arguing federal regulation of biometric data privacy is necessary due to the patchwork system of laws that undermine meaningful progress).

    [xix] Id. at 133, 153 (noting that technological advances have heightened privacy concerns surrounding biometric data and that the legal landscape regulating biometric data is currently fragmented).

    [xx] Ariana Naranjo, U.S. Biometric Data Laws, TWC Glob. (Apr. 1, 2025), https://www.tcwglobal.com/blog/u.s.-biometric-data-law [https://perma.cc/S6KM-KKUX] (explaining that the United States lacks a federal statute governing biometric data).

    [xxi] Id. (noting that compliance with biometric privacy laws is challenging because some states maintain strict regulations while others offer little to none).

    [xxii] See Marcus, supra note xviii (observing that only a few states have enacted biometric-specific statutes while others regulate biometric data as a subset of broader privacy laws).

    [xxiii] Id. at 143 (noting that Texas and Illinois distinguish themselves from other states through their comprehensive legislation of biometric data).

    [xxiv] See Stephen Titcombe, U.S. State Privacy Laws Directory, Terms Feed (Feb. 16, 2025), https://www.termsfeed.com/blog/us-state-privacy-laws-directory [https://perma.cc/QN3S-XGQX] (describing the Act as an “undisputed leader in the field of biometric privacy” that places stringent obligations on businesses).

    [xxv] Id. (explaining that BIPA regulates any private entities’ collection, use, or retention of biometric data belonging to Illinois residents); see Joseph J. Lazzarotti et al., We Get Privacy for Work – Episode 9: The Explosion in BIPA Litigation, Jackson Lewis (Sep. 25, 2025), https://www.jacksonlewis.com/insights/we-get-privacy-work-episode-9-explosion-bipa-litigation-0 [https://perma.cc/53ND-8GUY] (noting that BIPA governs both biometric identifiers and biometric information, covering physical traits such as retina scans, fingerprints, voiceprints, and facial geometry as well as data derived from those identifiers).

    [xxvi] See Chris Wager, Biometric Privacy Laws: What Businesses Need to Know Right Know, M.S. L. Grp. (Aug. 5, 2024), https://mslawgroup.com/biometric-privacy-laws-what-businesses-need-to-know-right-now [https://perma.cc/JDV6-FJGJ].

    [xxvii] 740 Ill. Comp. Stat. 14/15 (b)(2) (2025).

    [xxviii] 740 Ill. Comp. Stat. 14/15 (a) (2025) (requiring private entities to permanently destroy biometric identifiers and information once the initial purpose for collection has been satisfied or within three years of the individual’s last interaction, whichever occurs first).

    [xxix] 740 Ill. Comp. Stat. 14/15 (e) (2025) (mandating that entities protect biometric data using industry-standard care and safeguards equal to or greater than those for other sensitive information).

    [xxx] See 740 Ill. Comp. Stat. 14/20 (a) (2025) (clarifying that multiple instances of collections or disclosures of the same biometric data from the same individual to the same recipient count as a single violation for which only one recovery is available).

    [xxxi] Marcus, supra note xviii, at 141.

    [xxxii] Sheera Frenkel, The Militarization of Silicon Valley, N.Y. Times (Aug. 5, 2025), https://www.nytimes.com/2025/08/04/technology/google-meta-openai-military-war.html [https://perma.cc/YC79-6KV8] (reporting that major consumer-tech firms like Google, Meta, and OpenAI have increasingly partnered with the U.S. military).

    [xxxiii] Rebecca Isaacs, Ultrahuman and RingConn Rings May Disappear Soon–Here’s How to Buy One, Forbes (Sep. 4, 2025, at 4:16 PM EDT), https://www.forbes.com/sites/forbes-personal-shopper/2025/09/04/oura-ring-patent-lawsuit [https://perma.cc/7WD3-QZDU].

    [xxxiv] Oura Team, Oura Secures Decisive Legal Victory with ITC Patent Ruling, Oura Ring: The Pulse Blog (Aug. 22, 2025), https://ouraring.com/blog/oura-itc-case [https://perma.cc/8389-DPUR] (noting that the ruling underwent rigorous review and demonstrates the strength of the company’s patents and long-term IP strategy).

    [xxxv] Isaacs, supra note xxxiii.

    [xxxvi] Oura Team, supra note xxxiv; Kaitlyn Cimino, Two Smart Ring Brands Will No Longer Be Available to US Shoppers, Android Auth. (Aug. 25, 2025), https://www.androidauthority.com/oura-wins-patent-lawsuit-3590552 [https://perma.cc/VXH6-H4C2] (observing that the decision effectively reduced market variety).

    [xxxvii] Isaacs, supra note xxxiii.

    [xxxviii] Naranjo, supra note xx.

    [xxxix] Id.

    Healthcare Law Privacy Technology

    Read Next

    Copyright LawFeaturedIntellectual PropertySupreme Court

    Should Internet Providers Be the New Copyright Police? The Supreme Court Takes Up Cox v. Sony Music

    November 3, 2025By Victoria Reyes

    In a blockbuster case now before the Supreme Court, an Internet Service Provider (“ISP”), Cox Communications (“Cox”), faces liability for its users’ mass piracy of recorded music, a verdict that threatens to fundamentally reshape the boundaries of contributory copyright liability.[i] The Fourth Circuit upheld Cox’s liability for contributory infringement, while vacating its vicarious liability and […]

    Read More

    Entertainment LawEnvironmental ProtectionFeaturedPublic HealthTort law

    Chemical Whack-a-Mole: Why Our Environment Can’t Keep Up with PFAS

    November 5, 2025By Aracely Reyes-Rodriguez

    Welcome to the 98%, the not-so-exclusive club of Americans with measurable levels of forever chemicals in their blood; membership is automatic, but the health risks are still being calculated. A toxic threat flows from our taps. Per- and Polyfluoroalkyl substances (“PFAS”) are a family of thousands of synthetic compounds dubbed “forever chemicals” because their unique […]

    Read More

    View Past Publications
    Back to Top