February 19, 2019

February 18, 2019

Subscribe to Latest Legal News and Analysis

Dutch Privacy Watchdog to Nike - You Can't Just Do It

The mobile fitness industry has grown $400 million in the last six years. In 2015, mobile fitness apps generated more than $3 billion in venture-capital investment, up from $1.3 billion in 2012. Millennials, the largest generation since the Baby Boomers, are clearly setting the pace. According to a recent study, one in three Millennials, a group that spends more on health and fitness consumption than any previous generation, shares fitness-related information over text, social media, or email at least once per week. Considering that the wearable technology industry is expected to triple in size in the next five years, growth in the market for fitness and activity tracking apps shows no signs of abating. Yet, at least one European privacy authority thinks developers of these popular apps should slow down, towel off, and re-think data retention and privacy concerns.

In November, the Dutch Data Protection Authority (the "CBP"), a supervisory body engaged to enforce personal data protection laws, published a report outlining several alleged violations of Dutch data protection law following its investigation into Nike's fitness app, the Nike+ Running app ("Nike+"). Nike+ is an app for a smartphone with capability to be synced with tracking sensors in running shoes or with other wearable devices.

The CBP asserted that Nike violated Dutch privacy law based on two premises: first, that the Nike+ app collected "data concerning health" of its users, thereby triggering stricter privacy protections; and second, that Nike did not sufficiently inform users in its privacy notices about the types of personal data it collects and processes and, as such, users of the Nike+ app had not given requisite consent to the specific ways in which Nike processed health data.

The Nike+ app tracks distance, speed, time, and calories burned during a user's running workout. To calculate the amount of calories burned and stride length, users were asked to specify their gender, body length, and weight before the first workout. Using such information in connection with GPS technology, Nike+ is able to track the user's performance over a workout session. According to the CBP, data from individual workout sessions was not only captured on a user's device, but also was retained indefinitely on Nike's servers, allowing Nike+ to build a profile for each user, track workout progress, compare segments of an individual's performance against comparable user groups, and otherwise use the data for its own analytic purposes. The CBP concluded that the collected data, when treated individually, are snapshots of a user's physical condition, but if retained indefinitely as part of a user profile, Nike+ could deduce a user's physical condition over time. Thus, the CBP found that such data qualifies as "data concerning health" and developers of fitness tracking apps must satisfy statutory exceptions and obtain, for example, "explicit consent" before processing such data.

The CBP also found that the disclosures in the Nike+ privacy policy were not sufficient to establish explicit user consent for all the ways the data is used. Specifically, the CBP claimed, among other things, that the Nike+ privacy policy did not clearly explain that collected data was stored indefinitely on Nike servers (absent a user actively deleting her account). The Dutch agency also claimed that the policy did not explain in detail that the aggregation of the data involves an overview of an individual's athletic performance over time, for uses that include research and analysis by Nike. According to the CBP, more specific disclosures about the extent of processing of health data over time were necessary for a user to give "explicit consent" to the fitness app.  

Following the CBP's investigation, Nike agreed to take measures to remedy any Dutch privacy violations. These include: notifying existing users of the app (and Nike+ users on the web) that height and weight are optional, and asking them for consent to retain existing data; introducing a single privacy policy with greater disclosures and a data retention period for inactive users. In the end, the Nike+ investigation provides valuable guidance for the mobile health industry regarding privacy issues.  Particularly with respect to the privacy of users in the EU, the message to mobile fitness app developers is clear – you really can't just do it (without proper notice).

© 2019 Proskauer Rose LLP.

TRENDING LEGAL ANALYSIS


About this Author

L. Robert Batterman, Labor, Management, Sports, Attorney, Proskauer, Law Firm
Partner

A partner since 1974, Bob Batterman has considerable experience representing both individual employers and multi-employer groups in union relations and collective bargaining. Much of Bob’s time is spent in day-to-day contact with clients, often in “crisis” situations where a rapid resolution of union-related problems is vital.

Bob is a senior member of our nationally recognized Sports Law Group, serving as labor counsel to the National Hockey League, Major League Soccer and the National Football League. He has extensive experience in collective...

212-969-3010
Michael Cardozo, Commercial Litigation Attorney, Proskauer, Law Firm
Partner

Michael A. Cardozo is a Partner in Proskauer’s Litigation Department and the former Corporation Counsel for the City of New York. As the city's 77th and longest serving Corporation Counsel, he was the city’s chief legal officer, headed the city's Law Department of more than 700 lawyers, and served from 2002 through 2013 as legal counsel to Mayor Michael Bloomberg, elected officials, the city and its agencies.

Michael’s experience managing large litigations in both the private and public sectors provides him with unique insight into litigation assessments, risk management and mitigation issues. In his role as head of the New York City Law Department, he effected numerous changes that resulted in significantly increased efficiency. He achieved this by greatly expanding the use of technology and statistical data allowing for effective risk/cost analysis of cases.

212-969-3230
Robert L. Freeman, Technology, Media, Sports, Attorney, Proskauer, Law Firm
Partner

Robert E. Freeman is a Partner in the Corporate Department and a member of the Sports Law Group and Technology, Media & Communications Group.

Rob began his career as an intellectual property litigator before shifting the focus of his practice to intellectual property-related transactions. Today, he helps lead a team of media, sports and entertainment attorneys representing clients such as Time Warner Cable, Discovery Communications, the WTA, the Orlando Magic, Scripps Networks, Armstrong Cable, the PAC-12, Insight Communications and CBS Sports. Rob’s work for these clients...

212-969-3170
Howard Ganz, Sports, Employment Attorney, Proskauer, Law Firm
Partner

Howard Ganz is co-head of the Sports Law Group and former co-Chair of the Labor & Employment Law Department.

Howard represents and counsels clients with respect to a wide variety of labor and employment matters, such as employment discrimination, sexual harassment, wrongful discharge, defamation, breach of contract, discipline, and large-scale reductions-in-force. His litigation experience has run the gamut, from single plaintiff lawsuits to major class actions, in federal and state courts in New York and elsewhere. The clients Howard has represented include the National...

212-969-3035
Wayne D. Katz, Finance, Sports, Attorney, Proskauer, Law Firm
Partner

Wayne D. Katz is a Partner in the Corporate Department, specializing in the sports industry.

Wayne's experience includes the representation of the National Basketball Association and National Hockey League in their various corporate matters, including team ownership transfers and team financings. Major transactions he has worked on for the leagues include the NBA’s purchase and sale of the New Orleans Hornets; the NBA's grant of expansion franchises to Toronto, Vancouver and Charlotte; the NHL's grant of expansion franchises to Nashville, Atlanta, Columbus and Minnesota; the NBA’s $...

212-969-3071