The mobile fitness industry has grown $400 million in the last six years. In 2015, mobile fitness apps generated more than $3 billion in venture-capital investment, up from $1.3 billion in 2012. Millennials, the largest generation since the Baby Boomers, are clearly setting the pace. According to a recent study, one in three Millennials, a group that spends more on health and fitness consumption than any previous generation, shares fitness-related information over text, social media, or email at least once per week. Considering that the wearable technology industry is expected to triple in size in the next five years, growth in the market for fitness and activity tracking apps shows no signs of abating. Yet, at least one European privacy authority thinks developers of these popular apps should slow down, towel off, and re-think data retention and privacy concerns.

In November, the Dutch Data Protection Authority (the "CBP"), a supervisory body engaged to enforce personal data protection laws, published a report outlining several alleged violations of Dutch data protection law following its investigation into Nike's fitness app, the Nike+ Running app ("Nike+"). Nike+ is an app for a smartphone with capability to be synced with tracking sensors in running shoes or with other wearable devices.

The CBP asserted that Nike violated Dutch privacy law based on two premises: first, that the Nike+ app collected "data concerning health" of its users, thereby triggering stricter privacy protections; and second, that Nike did not sufficiently inform users in its privacy notices about the types of personal data it collects and processes and, as such, users of the Nike+ app had not given requisite consent to the specific ways in which Nike processed health data.

The Nike+ app tracks distance, speed, time, and calories burned during a user's running workout. To calculate the amount of calories burned and stride length, users were asked to specify their gender, body length, and weight before the first workout. Using such information in connection with GPS technology, Nike+ is able to track the user's performance over a workout session. According to the CBP, data from individual workout sessions was not only captured on a user's device, but also was retained indefinitely on Nike's servers, allowing Nike+ to build a profile for each user, track workout progress, compare segments of an individual's performance against comparable user groups, and otherwise use the data for its own analytic purposes. The CBP concluded that the collected data, when treated individually, are snapshots of a user's physical condition, but if retained indefinitely as part of a user profile, Nike+ could deduce a user's physical condition over time. Thus, the CBP found that such data qualifies as "data concerning health" and developers of fitness tracking apps must satisfy statutory exceptions and obtain, for example, "explicit consent" before processing such data.

The CBP also found that the disclosures in the Nike+ privacy policy were not sufficient to establish explicit user consent for all the ways the data is used. Specifically, the CBP claimed, among other things, that the Nike+ privacy policy did not clearly explain that collected data was stored indefinitely on Nike servers (absent a user actively deleting her account). The Dutch agency also claimed that the policy did not explain in detail that the aggregation of the data involves an overview of an individual's athletic performance over time, for uses that include research and analysis by Nike. According to the CBP, more specific disclosures about the extent of processing of health data over time were necessary for a user to give "explicit consent" to the fitness app.  

Following the CBP's investigation, Nike agreed to take measures to remedy any Dutch privacy violations. These include: notifying existing users of the app (and Nike+ users on the web) that height and weight are optional, and asking them for consent to retain existing data; introducing a single privacy policy with greater disclosures and a data retention period for inactive users. In the end, the Nike+ investigation provides valuable guidance for the mobile health industry regarding privacy issues.  Particularly with respect to the privacy of users in the EU, the message to mobile fitness app developers is clear – you really can't just do it (without proper notice).