Come and Get Your Data: Our Nike Story
"Have you ever wondered what kind of data is out there on you?", asked my colleague the other day.
"Does it make any sense? I mean it feels like will I never be able to opt-out, so does it do any good to bother?", responded I and sort of moved on to whatever we were doing.
That question stayed in my head, more as something on a background rather. But one day it came back, loud a clear.
On my daily bad habit of checking Facebook before bedtime, I noticed I was targeted by a few carousels of sneaker advertising. I wondered for a moment since when did I become a sneakerhead? Oh well, turns out very recently.
I did to Nike online shopping few days before and I did check out a few models to order. I was hesitant on price and design, do I really need them, just one or two pairs? And trust me when I say I did go there for the first time ever.
That night I realized I am not only followed to Nike with a precise selection of items that I have been viewing but two other online sneaker retailers that I've never visited but both still had the same precise item selection in their Facebook carousel.
“Well, well, time to get on these things,” I thought to myself. I also did order my few pairs from Nike as a loyal customer in the coming days.
The real journey started when I decided to give a call to Nike Customer Service in Belgium and ask what kind of data do they have on me? Something we all have rights to do, but how many of us ever bothered to execute that right?
A phone call
Customer Service consultant was very well aware of the nature of my request and also well trained with basic compliance knowledge on GDPR. He knew immediately with no extra questions asked two important things:
1. I have the right to ask for my data;
2. He is obliged to provide an answer that will satisfy my curiosity.
The Question is though: how far your curiosity wants to go?
So he went by asking my name and how do I interact with Nike. He confirmed that the data from my Nike Training Club profile and they have my shipping details.
On the profile with NTC, he said they store: my full name, email, age, location. He also correctly named all these details. It was all correct, which is great! But hey, did just kind if trust me in sharing that with no extra checks.
Still, I didn't stop there. "What shipping address do you have recorded for my profile?". And there he goes spelling it all out correctly. "Oh wow! Just like that!" thought I to myself. How does he know it is really me? What if it was a female stalker calling up on my behalf?
"Did I fully answer your question?", asked politely customer service representative.
"Well, yes and no. Thanks for confirming all these details. But what about all other digital data from website browsing?", insisted I.
"What do you mean?", clarified he but with more confusion coming in the voice.
Senior Team Engagement
I explained to him the whole story with targeting and how I was concerned and legally empowered to know what data beyond the NTC profile they have.
There I got the answer, I need to consult with senior team before I can get back to you.
"Now we are talking," told I myself. A few hours later I received email confirmation that my request will be fulfilled within 14-day time limit given by the EU to execute rights.
Looking good, and even more exciting! And almost on time after the confirmation, I received long-awaited mail.
Nike said: here go and check out your data. Full of excitement and respect toward the company I've rushed to the link.
Boom...I need to log into my account. "Ok-ok, what was the password again?," of course I forgot it as it was standard Facebook sign-in that I created years ago.
Yeap recovered...and here we go. But... Forbidden access! Really? Seriously?
It is all that easy at all, realized I. And set aside my journey to get my data fully with all details.
As I went back to Nike to pursue what I still need, I will keep updating you on progress.
But I learned already: it is not so easy to go and get you data even when you have all rights to do that and the company is also willing and capable of giving it to you.
Nike is a responsible business that trained customer service in my request and they also did everything needed to fulfill it. I had such an impression as their customer. And still, we failed.
Why so? Because it is not easy and we don't have tools to enforce GDPR at the consumer level. And please don't confuse consent management with being transparent with data privacy.