Many businesses are tapping into the digital economy by creating apps that customers download to enhance their experience, and that businesses can use to gather information to better serve their clients and optimize their business operations.
Last year a joint investigation carried out by the OPC along with its counterparts in Quebec, Alberta and British Columbia found that the Tim Hortons app collected vast amounts of sensitive location data, tracking customers even when they were not using the app – when they visited the doctor, went shopping and even when they were out of the country.
The investigation, concluded in June 2022, found that the restaurant chain collected far more information than it needed for its stated goal of targeted advertising, and then did not use it for that purpose. Its vast collection of sensitive geolocation information resulted in a loss of customers’ privacy that was disproportionate to any benefits that the company may have hoped to gain from improving the promotion of its coffee and other products. The third party that provided Tim Hortons with the app’s location services never used or sold the information for its own purposes, but language in the contract was vague and permissive enough that we were concerned that it could have done so.
After following up with Tim Hortons, our Office is now satisfied that the company has met its commitments and implemented the recommendations flowing from our findings.
On the first anniversary of the investigation, we offer some key takeaways for businesses:
- When developing a mobile app, consider whether a reasonable person would consider your purposes for collecting, using or disclosing user data to be appropriate, in the circumstances.
- Only collect the information that you legitimately need, and only when you need it. If you are not ready to use the data, do not collect it. If you decide to stop using the data, stop collecting it and delete any data that is no longer required.
- Consider the following to evaluate whether your purpose will be in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA):
- the degree of sensitivity of the personal information you propose to collect,
- whether your organization’s purpose represents a legitimate need/bona fide business interest,
- whether the collection, use and disclosure would be effective in meeting your organization’s need,
- whether there are less privacy-invasive means of achieving the same ends, and
- whether it results in a disproportionate loss of privacy.
- When your purpose is inappropriate in the circumstances, consent will not render your collection, use or disclosure of app users’ personal information compliant with PIPEDA.
- Ask for express consent before collecting, using or disclosing app user data that is likely to be considered sensitive, like with granular geolocation data. Express consent is also required if the app user would not reasonably expect the practice, for instance where you plan to use or disclose their personal information for a purpose that is unrelated to that for which they downloaded the app.
- Ensure that user consent is meaningful, by explaining your practices in a way that is understandable, comprehensive and accessible to app users who wish to read that explanation in full.
- Provide a clear and prominent explanation up front, at the point of their decision whether or not to consent, about key elements of your privacy practices, including:
- What user data you will collect via the app, and when/whether the app will continue to collect the user’s data when the app is closed,
- with whom you will share user data,
- why you are collecting that information, and
- any meaningful risk of harm or other negative consequences that could result.
- Where collection of users’ data is not integral to the primary functionality of the app, provide users with a clearly explained and easily accessible choice. Where express consent is required, as with sensitive geolocation data, that choice would be ‘opt-in’.
- When transferring personal information to a third party for processing, review the contract carefully and make sure to use clear terms so that the processor understands its processing obligations, and that you both understand and agree on what the processor can and cannot do with your customers’ information.
- Implement a robust privacy management program when you plan to collect, use or disclose personal information via an app, to ensure that you build in privacy up front, and comply with your legal requirements under PIPEDA. Carry out privacy impact assessments to determine any risks associated with your plans, and implement measures to mitigate those risks and adequately protect app users’ personal information.