Dutch Privacy Watchdog to Nike - You Can't Just Do It
The mobile fitness industry has grown $400 million in the last six years. In 2015, mobile fitness apps generated more than $3 billion in venture-capital investment, up from $1.3 billion in 2012. Millennials, the largest generation since the Baby Boomers, are clearly setting the pace. According to a recent study, one in three Millennials, a group that spends more on health and fitness consumption than any previous generation, shares fitness-related information over text, social media, or email at least once per week. Considering that the wearable technology industry is expected to triple in size in the next five years, growth in the market for fitness and activity tracking apps shows no signs of abating. Yet, at least one European privacy authority thinks developers of these popular apps should slow down, towel off, and re-think data retention and privacy concerns.
In November, the Dutch Data Protection Authority (the "CBP"), a supervisory body engaged to enforce personal data protection laws, published a report outlining several alleged violations of Dutch data protection law following its investigation into Nike's fitness app, the Nike+ Running app ("Nike+"). Nike+ is an app for a smartphone with capability to be synced with tracking sensors in running shoes or with other wearable devices.
The CBP asserted that Nike violated Dutch privacy law based on two premises: first, that the Nike+ app collected "data concerning health" of its users, thereby triggering stricter privacy protections; and second, that Nike did not sufficiently inform users in its privacy notices about the types of personal data it collects and processes and, as such, users of the Nike+ app had not given requisite consent to the specific ways in which Nike processed health data.
The Nike+ app tracks distance, speed, time, and calories burned during a user's running workout. To calculate the amount of calories burned and stride length, users were asked to specify their gender, body length, and weight before the first workout. Using such information in connection with GPS technology, Nike+ is able to track the user's performance over a workout session. According to the CBP, data from individual workout sessions was not only captured on a user's device, but also was retained indefinitely on Nike's servers, allowing Nike+ to build a profile for each user, track workout progress, compare segments of an individual's performance against comparable user groups, and otherwise use the data for its own analytic purposes. The CBP concluded that the collected data, when treated individually, are snapshots of a user's physical condition, but if retained indefinitely as part of a user profile, Nike+ could deduce a user's physical condition over time. Thus, the CBP found that such data qualifies as "data concerning health" and developers of fitness tracking apps must satisfy statutory exceptions and obtain, for example, "explicit consent" before processing such data.