And no one could possibly be surprised by this.
Those little trackers are a great idea and one can easily see them doing what so many other exercise gadgets fail to, which is to motivate people to exercise more.
The unfortunate truth - as with the glut of Internet-connected devices in the home - is that manufacturers just don't care about their users' privacy. Self-regulation doesn't work; never has. You can't rely on companies to keep their customers best interests at heart because that's not the way companies work. The only way to fix this perennial problem is to legislate and impose real penalties when companies don't respect their customers' privacy.
Of course, the core problem is that privacy is just not respected. Unfortunately, that extends to our government, so it's pointless hoping that they would implement any regulations to protect it.
One way to approach the problem is to say that any device that transmits or stores identifiable information in an insecure manner is unfit for purpose. I actually think that is quite a reasonable approach as these devices are sold on the merits of them exchanging data with personal devices and cloud services - most of them don't even have a display. Given that's the selling point, I find it reasonable to expect that that feature is implemented to a high standard, which demands security.