The Norwegian Consumer Council has filed a complaint in which it accuses a fitness-based mobile app of continuously tracking users even when they’re not exercising and of failing to delete personal data when requested by users to do so.
In the complaint (PDF) filed on May 10th, the Council asks the Norwegian Data Protection Authority to investigate whether Runkeeper has violated Norwegian and European data protection laws and whether it is in a position to take action.
Owned by FitnessKeeper Inc., Runkeeper is a fitness app that allows users to track how fast they and their friends are running. It provides this service by requesting users’ location via the GPS hardware on their mobile devices, as its permission website reveals:
“Location: We hope this one is self-explanatory, but we do in fact use your location to track your workouts. The GPS hardware exists on your phone and Runkeeper needs this permission into [sic]order to use your phone’s GPS so we can be your workout buddy on the road!”
But there might be a catch.
In a study involving the privacy policies of over 20 different apps, research organization SINTEF found on behalf of the Norwegian Consumer Council that Runkeeper was sending personal data to a third-party organization called Klip.me, a service for delivering content to mobile devices.
That communication was not limited to times during which the app was in active use, either. The Norwegian Consumer Council explains:
“Runkeeper was the only application that contacted Kiip.me when SINTEF tested the applications one by one, and the only app in which SINTEF detected Kiip.me source code. SINTEF has also established that Runkeeper used GPS while the mobile phone was not in use.”
For that reason, not to mention Runkeeper’s tendency to store personal data indefinitely and in spite of users’ requests to have it deleted, the Norwegian Consumer Council has asked the Norwegian Data Protection Authority to investigate whether a breach of user privacy has occurred.
It’s important to note, however, that even if the regulatory authority finds evidence of a breach, it might not be able to intervene.
Although Runkeeper has been downloaded by users worldwide, FitnessKeeper Inc. is based on Massachusetts, which means the Norwegian Data Protection Authority has no official jurisdiction over the app developer and its privacy policies.
A statement released by FitnessKeeper Inc. seems to indicate that the company is nevertheless taking this recent complaint seriously. As quoted by Ars Technica:
“We were recently made aware of a complaint filed by the Norwegian Consumer Council with the Norwegian Data Protection Authority. Our users’ privacy is of the utmost importance to us, and we take our obligation to comply with data protection laws very seriously. We are in the process of reviewing the issues raised in the complaint, and we will cooperate with the Norwegian DPA if it has any questions arising out of the complaint.”
The Norwegian Data Protection Authority’s investigation into Runkeeper is currently ongoing.