Nike no longer violates the Dutch data protection act with its Nike+ Running app (since renamed Nike+ Running Club). During an earlier investigation, the Dutch DPA had concluded that Nike did not provide sufficient information to the users of the running app about the processing of their health data. Nike had therefore not obtained the required explicit consent from the app users. Furthermore, Nike had not determined retention periods for the data. Following the Dutch DPA’s initial conclusions, Nike has taken measures to end the violations. Nike has meanwhile released new versions of the app in which the company requests consent for the processing of health data. The information to users has been improved, and Nike has effectuated fixed retention periods.
Via the app, Nike calculates running distances, speed and times. In order to be able to make these calculations, the app uses the location and other data from the smartphone. The app also calculates calories burned and stride length, based on the gender, height and weight of the user. Additionally, Nike calculates so-called ‘Fuel points’ – Nike’s own metric for the level of exertion – based on sensor data from the app. In the new app versions users can choose to use a default value for height and weight, to make the data less specific.
Health data
If you use the app, Nike knows your weight, the approximate amount of calories you burn, how much, how often and how intensively you exercise, for example. Nike uses the data on running activities of app users during 13 months for its own research and analysis purposes, and for example shows comparisons with the achievements of other runners of the same sex and age range. Based on these data, Nike is able to establish whether your condition (speed, duration an frequency of runs) is improving or deteriorating. These are sensitive data that give an indication of your state of health; there is a relationship between how often and intensively you exercise and your life expectancy. Nike may only process these sensitive data with the explicit consent of the app users. Currently, Nike informs user of the app through new app versions and in the modified privacy policy about the way in which the app processes health data.
Retention periods
The necessity of retention periods depends on the purpose for which the data are being used. Nike may store the health data during 13 months and use the data for the investigated, legitimate research and analysis purposes. This period is necessary because running events are often annual events.
Nike may store the data for a longer period of time for the purpose of giving access to users to their own data. Nike has done quantitative and qualitative research amongst users of the app after the publication of the investigation report by the AP. The research shows that users find it important to be able to get an overview of their running achievements even after years of inactivity. Nike has therefore created a technical separation between the login data (for the account) and the running data. After 13 months of inactivity the running data will be stored in encrypted quarantine. Then, only the user him or herself will be able to access the historical running data. Nike stores these encrypted data for almost 4 years.
Inactive users
As a result of the investigation Nike has encrypted all running data from inactive users in the Netherlands that are still using older versions of the app. This way, Nike excludes that these health data can be used for research and analysis purposes. Nike will send an email to all users of the app in the Netherlands that have not yet upgraded to the new app version. Nike will warn them to install the new app version.