Don't do what the Spanish Soccer League did (GDPR related)

Spanish professional soccer league La Liga was recently hit with a €250,000.00 fine for a feature in its mobile app that surreptitiously collected audio data to find game piracy. The app is used by soccer fans in Spain to track match times, scores, transfer, etc., and has about 10 million downloads. Spanish data authorities fined La Liga because, in addition to serving up scores and highlights, the app turned on the microphones in users’ phones in order to listen for audio from a copyrighted game, say, for example, at a bar. Armed with that information, league officials could demand that establishments pay a licensing fee if they had been showing the match without the appropriate license.

Spain’s data protection agency ruled that the technology violated user privacy. The league disagrees, and is planning to appeal, claiming that the app clearly notifies users about the feature and gives them a chance to opt out. The league also said that the app is carefully designed to avoid violating user privacy. Given that this story has caused furor in Spain, I guarantee you that the app permissions buried this particular functionality where nobody would read it.

What can you take from this? First: don’t do this. Using your users to spy on establishments they frequent is incredibly shady. Second: if you’re going to do something like record ambient audio, you need to be very clear in your consents, terms of service, and privacy policy, and disclose both the fact of the collection as well as what you plan to do with data recorded. I would even suggest making the recording off by default, and requiring a user to opt in.