Nike no longer violates the Dutch data protection act with its Nike+ Running app (since renamed Nike+ Running Club). During an earlier investigation, the Dutch DPA had concluded that Nike did not provide sufficient information to the users of the running app about the processing of their health data. Nike had therefore not obtained the required explicit consent from the app users. Furthermore, Nike had not determined retention periods for the data. Following the Dutch DPA’s initial conclusions, Nike has taken measures to end the violations. Nike has meanwhile released new versions of the app in which the company requests consent for the processing of health data. The information to users has been improved, and Nike has effectuated fixed retention periods.
Via the app, Nike calculates running distances, speed and times. In order to be able to make these calculations, the app uses the location and other data from the smartphone. The app also calculates calories burned and stride length, based on the gender, height and weight of the user. Additionally, Nike calculates so-called ‘Fuel points’ – Nike’s own metric for the level of exertion – based on sensor data from the app. In the new app versions users can choose to use a default value for height and weight, to make the data less specific.
The necessity of retention periods depends on the purpose for which the data are being used. Nike may store the health data during 13 months and use the data for the investigated, legitimate research and analysis purposes. This period is necessary because running events are often annual events.
Nike may store the data for a longer period of time for the purpose of giving access to users to their own data. Nike has done quantitative and qualitative research amongst users of the app after the publication of the investigation report by the AP. The research shows that users find it important to be able to get an overview of their running achievements even after years of inactivity. Nike has therefore created a technical separation between the login data (for the account) and the running data. After 13 months of inactivity the running data will be stored in encrypted quarantine. Then, only the user him or herself will be able to access the historical running data. Nike stores these encrypted data for almost 4 years.
As a result of the investigation Nike has encrypted all running data from inactive users in the Netherlands that are still using older versions of the app. This way, Nike excludes that these health data can be used for research and analysis purposes. Nike will send an email to all users of the app in the Netherlands that have not yet upgraded to the new app version. Nike will warn them to install the new app version.