I'm not a lawyer. In high school I took a class that covered some aspects of contract law. Want my speculation?
I do know something about the financial incentives, though. Fitbit's users are its customers. Insurers and employers are a small part of revenue. The people Fitbit needs to keep happy are users.
No need to speculate. Of course it would be reassuring if there was something in the privacy policy that directly addressed the question.
There is stuff like If we are involved in a merger, acquisition, or sale of assets, we will continue to take measures to protect the confidentiality of personal information and give affected users notice before transferring any personal information to a new entity.
But "measures" and "notice" are pretty weak sauce if they can result in the new entity still doing whatever it wants with the data. How about an explicit opt in policy that would actually impact the sale value of the data?
IMO something that specifically addressed an acquisition wouldn't add anything.
Either Fitbit's acquirer is contractually bound by the privacy policy or it isn't. If it isn't, then the specifics about acquisition don't add anything. If it is, then "We pledge...to never sell your personal data" is enough.
FWIW, Fitbit's publicly traded stock is non-voting, so hostile takeover is not possible.
Something about offering to delete a users data before material changes to the privacy policy took effect would be meaningful in more circumstances than acquisition.
It's kinda maybe in there already, but not directly (there is an offer to delete data and the language about continuing to use the service given a change).
I consider the pledge to be nearly meaningless. It's certainly a statement of good faith from the people working at and controlling the company today, but without any sort of legal teeth, it's also little more than a wet napkin.
In some circumstances privacy policies have had legal teeth, "particularly when parties claiming a breach have alleged that they read and subsequently relied on the policy prior to transacting business with the site operator" according to this page:
Ehhh... one of the big fights a decade ago was over DRM being built into CPUs and displays to the behest of entertainment companies. (They seem to have won that fight, as I now cannot find a lightning to hdmi cable that is “compatible” with Netflix.) During the years over which that controversy raged, I was always struck by the fact that companies like Microsoft and Intel were bending over backward to cater to Hollywood, not their customers.
Fitbit seems like a cool company and I don’t personally distrust them, but I don’t think that particular argument holds water.
The DRM situation was such that Hollywood had the power to deny access to something Microsoft and Intel's customers wanted. Those companies might fear that if they didn't implement DRM, customers would buy a competitor's display or CPU that did implement DRM and let them watch movies.
I don't really see what the analogous situation would be with insurers and Fitbit. Fitbit won't lose customers to a competitor that violates their privacy.
However, this page does speak for Fitbit: https://www.fitbit.com/legal/privacy
For insurers to purchase data on Fitbit users, they'll have to purchase it from the users themselves.