To explore the privacy implications of health big data, and to develop concrete proposals for how to resolve privacy issues and at the same time reap the benefits of big data techniques, CDT has undertaken a series of consultations with stakeholders and experts. We examined three scenarios: (1) clinical and administrative data generated by health care providers and payers; (2) health data contributed by consumers using the Internet and other consumer-facing technologies; and (3) health data collected by federal, state, and local governments. In this paper, we focus on the second of these scenarios: health data collected by non-HIPAA-covered entities through consumer-facing technologies. This includes mobile apps, wearable devices, personal health record platforms, social networks, and any other consumer-facing entities outside of the HIPAA framework that collect or share health data relating to individuals. We refer to these as consumer-facing entities, and we refer to their products and services as consumer products. We look both at big data uses by those entities, and at their disclosures of data to third parties for research and other analytic purposes.