Nike modifies running app after Dutch DPA investigation
Nike gives users of the Nike+ Running app insufficient information about the processing of their health data. Nike also does not obtain the requisite, explicit consent from the app users. This is the finding of the Dutch Data Protection Authority after its investigation of the app. As a result of the investigation, Nike has taken measures, and announced further measures to be taken. The Dutch DPA will examine these in the coming period to establish whether they are sufficient to ensure that Nike is no longer in breach of the law. Via the app, Nike calculates running distances, speed and times. In order to be able to make these calculations, the app uses the location and other data from the smartphone. The app also calculates calories burned and stride length, based on the gender, height and weight supplied by the user. Nike also calculates so-called 'Fuel points’ - Nike's own metric for the level of exertion - based on sensor data from the app.
If you use the app, Nike knows your weight, how many calories you burn, how much, how often and how intensively you exercise, for example. Nike stores the running activities of app users over a period of time. Based on these data, Nike is able to establish whether your condition (shape) is improving or deteriorating. These are sensitive data that give an indication of your state of health; there is a relationship between how often and intensively you exercise and your life expectancy. These specific categories of data may only be processed with the explicit consent of the users.
Nike is in contravention of the Dutch Data Protection Act because it insufficiently informs users about the processing of their health data via the app. This means that there is no informed consent. Additionally, Nike doesn't inform users that personal data are being processed for analytical and research purposes, for example by segmenting users based on age, gender, experience and running level and calculating the average achievements per segment.
As a result of the Dutch DPA investigation Nike has taken a number of effective measures. Since this summer, new users of the app have no longer been obliged to give their height and weight. New versions of the app also contain extra information about the processing of height and weight data. Nike has announced further measures to improve the information given to users about the processing of their health data in the coming months. It has also announced that it will retrospectively seek consent from all existing users for the processing of their health data.
Three out of four people in the Netherlands have a smartphone, and the devices are increasingly being used to monitor health and lifestyle. It is expected that in 2017 some 5 million Dutch people will use one or more health or fitness apps. Running is a popular sport in the Netherlands, with almost two million people engaged in it. Worldwide, the Nike+ Running app has been downloaded 10-50 million times to Android devices. The Apple iPhone version of the app has twelfth place in the list of most frequently downloaded fitness apps in the Netherlands.
- 30 November 2015DownloadPDF