A test carried out by SINTEF at the behest of the Norwegian Consumer Council has found that the fitness app Runkeeper (the Android version) transmits data about its users round the clock, irrespective of whether or not the app is in use. This practice is not explained in the terms of service, and users have not given their consent.
“Everyone understands that Runkeeper tracks users while they exercise, but to continue to do so after the training session has ended is not okay,” says Technical Director Finn Myrstad at the Consumer Council.
“Not only is it a breach of privacy laws; we are also convinced that users do not want to be tracked in this way or for information about their location, level of fitness and training habits to be shared with third parties.”
The Norwegian Consumer Council is now lodging a complaint about the app with the Norwegian Data Protection Authority over breaches of Norwegian and European data protection laws.
User information is not deleted
The Consumer Council’s complaint to the Data Protection Authority also extends to the app’s lack of deletion routines. Looking at the company’s own terms of service, it is unclear whether personal data is deleted as a matter of routine or when the user requests it.
“Runkeeper is obliged to delete information once the information is no longer relevant or if the user account is deleted. We expect the company both to comply with European legislation and to state clearly how they are doing so,” says Finn Myrstad.
“When the company also renounces responsibility for the processing of user data by third parties, then it is clear that Runkeeper needs to have a good think about how it treats its users’ data and privacy.”
A number of concerns
The review of Runkeeper is part of the Norwegian Consumer Council’s “Appfail” campaign, which looks at how consumer and data protection is safeguarded in 20 popular apps.
Many of the apps have announced that they have changed or will be changing their practices. The campaign has also resulted in numerous complaints, including Tinder being reported to the Consumer Council and the French consumer organisation Que Choisir asked the French Data Protection Authority to investigate the Happn app with the French data protection authorities.
“Good consumer and privacy protection represents a competitive advantage for anyone offering digital services. We hope that the campaign will help raise awareness amongst consumers, app providers and the authorities alike,” says Finn Myrstad.
Director of Digital policy at the Norwegian Consumer Council.