On May 25th ZwiftPower, the central service for Zwift race results, announced a temporary closure due to GDPR-related issues. As a web developer myself I am well-acquainted with the challenges GDPR poses to companies working with personal data, so I chatted a bit with the ZwiftPower folks to get their take on the situation. (Note: I also reached out to Zwift, but haven’t heard back from them yet.)
First, a Bit About GDPR
The General Data Protection Regulation was passed by the European Union on April 14, 2016, with enforcement beginning May 25, 2018. It created an EU-wide set of standards for the protection of personal data relating to EU Internet users. But it is important to note that GDPR standards apply to the personal data of EU users regardless of the location of the entity holding their data. So companies in the US (such as Zwift) who handle the personal data of EU users must comply with the law.
From the corporate standpoint, GDPR is a pain in the butt. But from the consumer’s standpoint, it’s a very good thing. As Techcrunch said, “… consumer trust is essential to fostering growth in the digital economy … trust can be won by giving users of digital services more information and greater control over how their data is used. Which is — frankly speaking — a pretty refreshing idea when you consider the clandestine data brokering that pervades the tech industry. Mass surveillance isn’t just something governments do.”
Zwift API Challenges
An Application Programming Interface is a set of tools which allow services to easily interact. In terms of Zwift, the API (until recently) allowed third-party sites to fetch your basic profile data, activity details, followers, followees, etc.
Third-party sites like ZwiftPower, ZwiftGPS and CVR’s CycleData have been pulling rider data from Zwift’s unofficial API for a long time. That all stopped this month when Zwift’s Wes Salmon posted the following on the Zwift Coders Facebook group:
Hey coders, I have some news about the current state of Zwift’s APIs and what some upcoming regulations mean for the future. It’s likely that no matter where you live in the world, you’ve heard of the new EU data protection law, known as the GDPR. The GDPR is going into effect on May 25th, 2018 and this will impact how the team here at Zwift HQ manages and secures our API endpoints.
While we work through the logistics of ensuring GDPR compliance in all of our data streams, we will need to make a few changes to our Zwift APIs.
First, we ask that any developer currently using the Zwift APIs to stop doing so by May 25th.
Second, we ask that you delete any personal data related to Zwift users collected through our APIs by May 25th…
So the core issue here is that Zwift’s API was exposing Zwifters’ personal data to third-party services in ways which were not compliant with GDPR standards. And since GDPR comes with potentially massive penalties for non-compliance, Zwift made the sensible decision to comply with GDPR even if it meant a temporary shutdown of some important community services.
In hindsight, it appears Zwift should have given a higher priority many months ago to GDPR-related matters. This would have let the API get updated earlier so Zwift and third-party sites would be compliant on May 25th. But let’s not cry over spilled milk.
When Will ZwiftPower Return?
ZwiftPower’s return timetable is in the hands of Zwift. Zwift has communicated June 1st as a target date for coming back online, but my sources at ZwiftPower (and myself) are doubtful that target will be hit, especially with the server team off work today since it is a public holiday in Rio.
What Are the Implications?
When ZwiftPower does return, Zwifters will need to explicitly consent to their rider/profile data being shared with ZwiftPower. ZwiftPower will not receive data from Zwift for users who do not consent (not even finishing lists) so this will have a major impact on ZwiftPower’s ability to display “accurate” race results.
For example, a race may have 100 participants, but if only 50 have consented to sharing their data then ZwiftPower’s finishing lists will only show those 50 riders.
Racers will know that a lesser but similar issue already exists with ZwiftPower, thanks to their proactive changes back in January 2018 when they implemented their own explicit opt-in which was required in order to be included in final race results. While this covered ZwiftPower legally, it created a new problem where racers could compete in-game without opting in to ZwiftPower and being included in final results (like the example above). While this issue effected final results, you could still see the “unfiltered” list of finishers if desired. With these GDPR changes, though, the only riders listed on ZwiftPower will be those who have given explicit consent.
More than once I’ve put in hard efforts to beat someone in-game only to realize they weren’t even in the final results list. With the new API restrictions this will become an much bigger issue. Yes, I hear you saying, “It’s just a game, you’re building fitness.” But I want to know the people I’m racing against are the people I’m racing against, and that will only happen if Zwift adds some sort of ZwiftPower GDPR consent requirement in-game. So I’m hoping that is exactly what happens, even though I don’t see that happening within the next few weeks.
Here’s how I see this shaking out: once Zwift’s API is updated (let’s say within a week), race organizers will need to make a big push to get Zwifters to consent so they can be included in ZwiftPower results. And eventually, hopefully, this will be streamlined and handled in-game so all racers are required to opt-in.