The individual right of access to one's own data is a crucial privacy protection long recognized in U.S. federal privacy laws. Mobile health devices and research software used in citizen science often fall outside the HIPAA Privacy Rule, leaving participants without HIPAA's right of access to one's own data. Absent state laws requiring access, the law of contract, as reflected in end-user agreements and terms of service, governs individuals' ability to find out how much data is being stored and how it might be shared with third parties. Efforts to address this problem by establishing norms of individual access to data from mobile health research unfortunately can run afoul of the FDA's investigational device exemption requirements.