How does the UK regulate data collection by sports apps?

BACKGROUND TO APPS

Sports apps

When it comes to apps, sports fans are increasingly spoilt for choice. Apps may be developed and marketed to sports fans to promote a product, brand or event; to provide real-time statistics (for example the Sky Sports or BBC sports apps), video streaming or instant replays; to allow entry into a contest; to compete in games with other users; to enable "banter”, with other fans; or to use global positioning system (GPS) technology to send promotional measures based on the user's location.

For example, the Sky Sports Football Score Centre app uses a user's location to suggest the nearest pub where users can watch football on Sky Sports. Sports apps that record users' fitness activities such as cycling and running are becoming increasingly popular. Examples of such apps include strava¹, runkeeper² and mapmyride/mapmyrun ³.

Data Collection

Many sports and exercise apps collect and use personal data from its users, (if a living individual is capable of being identified from the data, then the data will be personal data). Personal data may include names, addresses and photographs but is not limited to such information. In the mobile environment, it would include a unique device identifier such as an IMEI number.

Accumulation of personal data brings with it legal obligations for developers. Data protection is not perhaps the most glamorous of the issues confronting the developers of a new app. Indeed developers are, if anything, likely to resent data protection and privacy issues as an unwelcome intrusion into the serious business of creating a product that will stand out from the crowd.

However, data management on mobile devices is an issue of growing importance for both businesses and the public, as highlighted in the privacy in mobile apps guidance (the ICO Guidance⁴) by the Information Commissioner's Office⁵ (the ICO), who is responsible for overseeing data protection compliance in the UK. The ICO Guidance advises app developers how to ensure they remain legally compliant.

HOW THE UK PROTECTS DATA COLLECTION BY APPS

The Data Protection Act 1998

In the UK, data protection is governed largely by the Data Protection Act 1998⁶ (the 1998 Act), which implements a European directive that applies across all 28 EU Member States.

When the 1998 Act came into force, apps were far away in the distant future. New data protection legislation, again originating in the EU, is in the offing but it is very apparent that this is an area where the law has struggled to keep up with technology. Accordingly, the legislative gaps tend to be plugged periodically by non-statutory guidance, like that published in December 2013 by the ICO directed at app developers.

The role of Data Controllers

For example, if a user purchased tickets for a sporting event using an app, the 1998 Act requires that information such as name and address are stored securely. If an app user changed their details these should be updated to ensure that records are accurate, failure to do so may for example lead to tickets being sent to the wrong address.