No Coffee Breaks from Privacy Compliance - A Cautionary Tale for App Developers

  • July 11, 2022
  • Roland Hung and Ida Sherkat, Torkin Manes LLP

In an effort to engage with customers on a deeper level, companies are increasingly investing time and resources into developing and improving their mobile applications.  Mobile applications can increase customer engagement and promote long-term business growth by making a company’s products and services more accessible to the customer and driving brand loyalty.

This article highlights that navigating this unique technological space requires companies to be aware of the consequences of potential boundless tracking of their app users and to ensure they are compliant with Canadian privacy laws.

Background

On June 1, 2022, the Office of the Privacy Commissioner of Canada (the “OPC”) released their findings from an investigation launched into the location tracking function of the Tim Hortons app. The May 2019 versions of the app made use of Radar, a third-party service provider, to collect GPS location data that enabled Tim Hortons to infer the homes, places of work, travel and competitor visiting habits of the app users (“App Users”). Device locations were tracked as often as every few minutes for this purpose, even in circumstances where user permission requests were made on the basis of location only being tracked while the app was opened. In fact, the app was found to track the exact location of an individual more than 2,700 times in less than five months, including tracking in destinations around the world where Tim Hortons does not operate.

Tim Hortons identified that this granular location data was collected for the purposes of delivering targeted advertising to better promote their products. Tim Hortons confirmed that shortly after implementing this update, their attention was refocused to other commercial endeavours, resulting in the data being only minimally used for user trend analytics. The data was never used to tailor or personalize marketing or to conduct reports to a particular user.

Issues

The OPC and Canada’s three provincial private sector privacy authorities (the “Regulators”) gave their findings on four key issues:

  1. Whether Tim Hortons collected and used granular location data, through the app for a purpose that: (a) a reasonable person would consider appropriate in the circumstance, and (b) was reasonable and to fulfill a legitimate need;
  2. Whether Tim Hortons obtained adequate consent from App Users to collect and use their granular location data;
  3. The contractual protections Tim Hortons implemented to protect App Users’ personal information while being processed by a third-party service provider; and
  4. The accountability of Tim Hortons to implement policies and practices to ensure compliance with the federal privacy legislation and provincial legislations in Quebec, British Columbia, and Alberta.

Decision

Personal Information Collected or Used for an Inappropriate Purpose

The Regulators concluded that there was no bona fide business interest served by the collection of the vast amounts of sensitive personal information through the Tim Hortons app. The loss of privacy experienced by App Users due to the amount and frequency of data collected was not found to be proportional to the potential benefits of improved targeted advertising. It was concluded that a reasonable person would not find the purpose to be appropriate, reasonable or legitimate in this case.

Invalid Obtained Consent

The Regulators stressed that consent of the App Users cannot render appropriate an otherwise inappropriate, unreasonable or illegitimate purpose.  In addition, the Regulators highlighted three main reasons why consent granted by the App Users was held to be invalid:

  1. a failure to inform users that their location information was collected while the app was closed;
  2. explicit misleading statements made to users stating that the app was only collecting this information while it was open; and
  3. a failure to make known the consequences of Radar’s continual background data collection.

Inadequate Contractual Protections in place between Tim Hortons and Radar

Vague and permissive language in the contract between Tim Hortons and Radar suggested to the investigators that the personal information of App Users could have been used and disclosed by Radar in de-identified form in connection with its business operations and company offerings (though Radar does not appear to have done so). The volume and potential sensitivity of data collected was again found to require a level of protection put in place by Tim Hortons for App Users that was not met. 

Lack of Accountability in Tim Hortons’ Privacy Management Program

The Regulators identified key accountability issues, which included:

  • the collection of the granular location data for over a year without its use for the intended purpose; and 
  • attempts to obtain consent from App Users without fully disclosing to the App Users how their personal information will actually be used.

Recommendations for App Developers

Given the foregoing, and considering their obligations under applicable Canadian private sector privacy laws, app developers and organizations making mobile apps available in Canada should consider the following:

  • Be Transparent. Organizations must be transparent and clearly and conspicuously inform app users that information is being collected by the app.
  • Be Clear What Type of Data is Being Collected. It is not enough to simply state that information is being collected. Rather, organizations must describe why the information is being collected and how it will be used. Organizations must also describe how the information is collected, whether it is shared with third parties, what information is shared and in what form, whether information will be collected even when the app is closed, and provide contact information so that app users can contact the organization with questions.
  • Ensure Consent is Meaningful. Ensure that the app users give consent based on a full, transparent, and complete disclosure of the type of information that will be collected through the app, how the information will be used, and for what purposes.   
  • Avoid Secondary Uses. Once consent is obtained from app users, ensure the information collected through the app is used or disclosed only for the purposes for which consent was given.  It is important to avoid using the information collected for secondary purposes for which consent was not obtained.  Consent is not a carte blanche for the organization to collect, use, or disclose personal information for purposes that were not originally identified when the consent was obtained.  If an organization would like to use the personal information for additional purposes, the organization will need to obtain consent for those additional purposes.
  • Make the Terms of Use and / or Privacy Policy Accessible. The Terms of Use and Privacy Policy should be accessible on the app so that the app user can quickly review them.  Organizations may also want to consider providing app users with a short notification upon downloading a GPS-enabled app that provides a brief summary advising that GPS data will be collected, with links to the full version of the Terms of Use and Privacy Policy. This may help encourage consumers to educate themselves on the Terms of Use and Privacy Policy before providing consent.
  • Use Contractual Provisions to Protect Personal Information.  If personal information will be transferred to a third party, the organization should ensure through contractual means that the third party will use a comparable level of protection while the information is being processed by the third party. 

In addition, organizations must ensure that they use reasonable safeguards to protect the information collected through the app and should keep the information for only as long as reasonably required. Employing reasonable safeguards and appropriate retention periods will reduce the risk of customer data being lost in a security breach.

Lastly, had this investigation been conducted under the provisions of Bill C-27 (the new bill introduced by the federal government on June 16, 2022, to modernize and overhaul the federal private sector privacy legislation in Canada), there is a high likelihood that the investigation would attract the use of the new enforcement powers of the OPC and administrative monetary penalties (“AMPs”).  Under Bill C-27, if passed, the OPC will be granted order-making powers that permit it to issue orders requiring organizations to comply.  Moreover, the OPC will be able recommend to the Personal Information and Data Protection Tribunal (the “Tribunal”) that it impose AMPs if an organization has contravened the law. 

If Bill C-27 passes, the Tribunal will have the power to impose AMPs for contraventions up to the greater of $10,000,000 or 3% of the organization’s gross global revenue in the preceding financial year. 

While Bill C-27 is not law yet, organizations should take this opportunity to review their privacy practices and the way their mobile apps collect, use, and disclose personal information to ensure they are prepared for the upcoming changes to the federal privacy legislation. 

********************

This article was originally published on the Torkin Manes website on July 4, 2022. For more information about privacy management programs specific to your organization, please contact a member of Torkin Manes’ Technology, Privacy & Data Management Group. For more information about Bill C-27, please read our article on Bill C-27 here.

 

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.