How does the UK regulate data collection by sports apps?
Published 13 August 2014 By: Hayley Lawrence
BACKGROUND TO APPS
When it comes to apps, sports fans are increasingly spoilt for choice. Apps may be developed and marketed to sports fans to promote a product, brand or event; to provide real-time statistics (for example the Sky Sports or BBC sports apps), video streaming or instant replays; to allow entry into a contest; to compete in games with other users; to enable "banter”, with other fans; or to use global positioning system (GPS) technology to send promotional measures based on the user's location.
For example, the Sky Sports Football Score Centre app uses a user's location to suggest the nearest pub where users can watch football on Sky Sports. Sports apps that record users' fitness activities such as cycling and running are becoming increasingly popular. Examples of such apps include strava1, runkeeper2 and mapmyride/mapmyrun 3.
Many sports and exercise apps collect and use personal data from its users, (if a living individual is capable of being identified from the data, then the data will be personal data). Personal data may include names, addresses and photographs but is not limited to such information. In the mobile environment, it would include a unique device identifier such as an IMEI number.
Accumulation of personal data brings with it legal obligations for developers. Data protection is not perhaps the most glamorous of the issues confronting the developers of a new app. Indeed developers are, if anything, likely to resent data protection and privacy issues as an unwelcome intrusion into the serious business of creating a product that will stand out from the crowd.
However, data management on mobile devices is an issue of growing importance for both businesses and the public, as highlighted in the privacy in mobile apps guidance (the ICO Guidance4) by the Information Commissioner's Office5 (the ICO), who is responsible for overseeing data protection compliance in the UK. The ICO Guidance advises app developers how to ensure they remain legally compliant.
HOW THE UK PROTECTS DATA COLLECTION BY APPS
The Data Protection Act 1998
In the UK, data protection is governed largely by the Data Protection Act 19986 (the 1998 Act), which implements a European directive that applies across all 28 EU Member States.
When the 1998 Act came into force, apps were far away in the distant future. New data protection legislation, again originating in the EU, is in the offing but it is very apparent that this is an area where the law has struggled to keep up with technology. Accordingly, the legislative gaps tend to be plugged periodically by non-statutory guidance, like that published in December 2013 by the ICO directed at app developers.
The role of Data ControllersThe 1998 Act requires the "data controller" – the person (including a company) who determines the purposes for which, and the manner for which, any personal data are processed7 – to collect and use personal data in accordance with eight data protection principles. These principles include only using data for the purpose for which the data is collected, keeping data accurate and up to date and keeping data secure.
For example, if a user purchased tickets for a sporting event using an app, the 1998 Act requires that information such as name and address are stored securely. If an app user changed their details these should be updated to ensure that records are accurate, failure to do so may for example lead to tickets being sent to the wrong address.
As the data controller is responsible for ensuring users' personal data is managed in accordance with the 1998 Act, knowing whether you are a data controller and what your duties are is of paramount importance. It is rare for a UK business that holds personal data about individuals, including subscribers, customers or employees, not to be a data controller for the purposes of the 1998 Act (and therefore will be required to be registered with the ICO).
Even where services are contracted out, such as website hosting, responsibility for data protection remains with the data controller.
The ICO Guidance makes the point that users should be entitled to insist upon their personal information being deleted. This chimes with the recent European Court of Justice decision8 concerning Google and the "right to be forgotten". That case requires data controllers, like Google, to remove links to outdated or irrelevant information when searches are performed for their names.
Requirements to ensure appropriate data protection of users
Users need to be told in simple language what will happen to their personal data if they install and use the app. This is part of Principle 1 of the 1998 Act – that personal data be processed fairly and lawfully. As well as explaining what personal data will be held, it is important to spell out why it will be used in a particular way, for example to market other products in which the user might be interested. The ICO Guidance gives the example of where the user allows the developer to have access to their list of contacts in their mobile phone so that the developer can make recommendations to their friends, the app should say in plain English what the contact list will be used for. Developers always need to have in mind their target user – for instance, the language used will be different if the app is targeted at children from that where the app is targeted at adults.
Where the app is supported by advertising, this should be made clear to users, who should be "given information relating to any analytics". Analytics may include obtaining information about who uses the app, on what devices and where they come from; they are often used to analyse data to identify patterns and trends included within the app. Where personal data is to be passed to third parties, again, the user must be told of this.
ICO recommendations to developers on appropriate data protection measures
The ICO recommends the use of pop-up disclosures as one way that companies can meet their obligations under the 1998 Act by informing users of how they plan to use their personal data and to obtain consent for that use.
The ICO also recommends the use of "just-in-time" notifications so that the information is provided to the user just before data processing takes place. The suggestion is that "just-in-time" notifications will be particularly appropriate when "more intrusive data" such as location data are being collected. Website policies can be supplementary to in-app policies. An example of a detailed website policy for an app is Fulham F.C.9
Finally, the ICO Guidance provides that users should be able to easily review and change their data privacy choices once the app has been installed and in a single and obvious place.
Ensuring security and privacy
Ensuring that personal data is maintained securely is one of the data protection principles. The guidance includes suggestions on how this may be achieved, in particular focusing on effective password security and using tried and tested cryptographic methods rather than implementing your own cryptography.
Different apps will, of course, have differing privacy and security risks so it will be sensible to conduct security testing, vulnerability scanning and more in-depth penetration prior to rolling out the app.
For example, Strava is a sports app that can be used to record a user's bike rides and runs including providing a map of the route. A user can customise their privacy settings to hide their home or office location, so that it does not come up on the map that is posted online. Failure to test this additional privacy setting before going live would be significant if it didn't work in the live environment.
The ICO makes the point that privacy testing should not be confined to the development stage but is an ongoing process. In particular, testing should be carried out after any changes to the app's code as modifications that might appear to be minor may in fact have a significant impact on data protection.
For example, where removing a touch of a screen speeds up an activity, that touch of the screen may have been relied upon as evidence of user consent being granted. Where the app gives users a choice on whether to permit or deny access to personal data, the developer should test the user experience in both scenarios.
Whilst businesses marketing to sports fans may well be worrying about how to manage personal data collected through apps, not least because this is new technology where the 1998 Act has not been fully tested, the ICO takes an optimistic view, believing that achieving compliance should not be an unduly onerous task.
THE STATUS AND ROLE OF THE ICO GUIDANCE
The ICO Guidance is not mandatory but compliance with it will reduce the risks of the 1998 Act being contravened (with the possibility of a fine of up to £500,000 for the most serious breaches and any reputational damage that this may incur).
However, the very fact that the ICO has published this guidance may prompt a dim view from the ICO of any developer of a sports app which fails to pay due heed to issues of data protection. One way of reducing the risks of contravention is to collect only the minimum amount of personal data necessary to enable the app to function – a point made in the ICO Guidance.
Companies can run into trouble where data protection and privacy are an afterthought. The ICO Guidance highlights the fact that privacy is much easier to consider from the outset of a project rather than as an afterthought.
Following the ICO's recommendations makes business sense as well. The ICO suggests that consumers have concerns about how their personal data may be used and clearer statements from the developer may help to assuage those concerns (and thereby encourage take-up). The ICO referred to survey evidence showing that 49 per cent of app users had chosen not to download an app because of privacy concerns. In a crowded market, where the product – the app – is a "nice to have" rather than a necessity, organisations promoting apps to sports fans, that fail to show that they are managing personal data collected responsibly, may lose business.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission is granted to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Contract Law | Data Protection | Data Protection Act 1998 | European Court of Justice | Football | ICO Guidance | Information Commissioners Office (ICO) | Intellectual Property | United Kingdom (UK)
- #update: The evolution of the twitter ‘#’ disclosure rules
- Do English laws sufficiently protect sports stars from social media abuse?
- Data protection and sport – an uncertain partnership
- How successful were FIFA and its sponsors at protecting their brands during the World Cup?