Canadian privacy regulators clarify requirements for mobile apps
July 6, 2022 Privacy Law Bulletin 4 min read
On June 1, 2022, the Office of the Privacy Commissioner of Canada and its provincial partners (the “Privacy Regulators”) published a joint investigation report (the “Report”) that clarified compliance expectations for mobile applications that collect location data from their users and process this data through third party service providers.[1]
The report clarifies that the collection of location data must be done for an appropriate purpose, after obtaining valid consent. The report also clarified what contractual terms with service providers are sufficient and necessary to protect such location data. The report further highlights the sensitivity of location data and the need for companies handling personal information to have a robust privacy management program in place.
Collect or use personal information only for an appropriate purpose
Privacy regulators have concluded that targeted advertising may not be an appropriate purpose to justify the collection and use of sensitive location data. They believe that granular location data is sensitive in nature because it can be used to determine where a person lives and works with relative ease. In addition, detailed location data may indicate an individual’s religion, medical treatments or illnesses, sexual preferences, social and political affiliations, and more, revealing, for example, visits to certain religious or medical institutions.
In assessing whether personal information has been collected or used for an appropriate purpose, privacy regulators and courts consider a number of factors, including:
- whether the purpose represents a legitimate business need;
- whether there are less privacy-invasive means of achieving the same goals; and
- whether the loss of privacy for individuals is proportionate to the benefits received by the organization.
In making these assessments, courts have urged privacy regulators to perform a “balancing of interests” between an individual’s right to privacy and the commercial needs of the organization concerned.
The factors above are applied flexibly and contextually. Accordingly, while privacy regulators found that targeted advertising did not justify the collection of sensitive location data in this case, they acknowledged that it may be an appropriate purpose for collecting personal information in some circumstances.
Obtain valid consent to collect location data
Privacy regulators have noted that individuals cannot be compelled to consent to the collection, use or disclosure of personal information where the purpose is inappropriate.
The report identifies the following factors as relevant when considering whether valid consent has been obtained for the collection and use of location data:
- whether users have been informed that the organization will collect their location data even when an application is closed;
- if the statements mislead users into thinking that the organization will collect location data only when an application is open; and
- whether the organization has ensured that users understand the consequences of consenting to the continuous collection of location data in the background.
Enforcing contractual terms with third-party service providers that provide adequate protection
Under Canadian privacy laws, organizations are not only responsible for personal information under their control. They are also required to implement contractual or other measures to protect the personal information that third-party service providers process on their behalf.
For example, in the report, privacy regulators determined that an organization cannot allow a third-party service provider to use location data collected by an app for its own business purposes. This includes use for development, diagnostic or corrective purposes other than necessary to provide the services in question, or use or disclosure of any personal information, even in aggregated or de-identified form, in connection with the service provider’s business.
Privacy regulators have taken note of the current digital marketing ecosystem, in which valuable location information is often collected by apps and disclosed to data aggregators, who can in turn compile that information, combine it with information available from others sources, and potentially re-identify otherwise de-identified information. They looked at how location data is often collected and sold, which, because people can be easily identified by their movements, poses a real risk of being re-identified and used by third parties for unintended purposes. In particular, privacy regulators have found that the precise tracking of smartphone movements can allow data aggregators to create comprehensive profiles for the purposes of targeted marketing and advertising. Simply removing other identifiers from data provided to third parties is not sufficient to protect the privacy of an individual user and does not relieve an organization of its obligations to implement robust contractual safeguards.
This does not mean that it would be inappropriate, in all circumstances, for a service provider to use personal information for its own internal purposes where valid consent has been obtained. In such circumstances, however, privacy regulators consider that contractual clauses should be clear and unambiguous, contain correct definitions (eg of personal information and de-identified data) and clearly delineate responsibilities between the parties to ensure that meaningful consent is obtained from the persons.
Food to take home
The report serves as a reminder of the importance of a robust privacy compliance and protection program, including ongoing training and review. Here are three useful takeaways from the report for organizations that process personal information:
- Location data can be very sensitive. Persistent, detailed smartphone location data can be very sensitive given the potential for such data to reveal sensitive personal information about an individual. As noted in the Office of the Privacy Commissioner’s Sensitive Personal Information Interpretation Bulletin, when information becomes more sensitive, it attracts a correspondingly higher standard of informed consent and appropriate safeguards.[2]
- Targeted advertising may not be considered an appropriate purpose for collecting sensitive location data. The report concludes that while targeted advertising may be appropriate in some circumstances, the purpose may not be proportionate to the loss of personal privacy caused by the constant collection of smartphone location data.
- Contracts with service providers must protect personal information. Privacy regulators have clarified some of their expectations for contracts with service providers. Such contracts should (i) be clear and unambiguous about how personal information may or may not be used by the service provider, (ii) outline the responsibilities of each party to ensure meaningful consent is obtained, and (iii) ) include clear definitions of personal information or de-identified information that are consistent with applicable laws.
If you have any questions about the Report, location data collection, contractual requirements in service provider agreements, or Canadian privacy laws generally, a member of our Privacy and Data Protection team will be happy to assist you.
[1] Office of the Privacy Commissioner of Canada, PIPEDA Findings #2022-001 (June 1, 2022), available here.
[2] Office of the Privacy Commissioner of Canada, Interpreting Bulletin: Sensitive Information, (May 2022), available here.
by Robert Piacentine, Robbie Grant and Kristen Shaw
A cautionary note
The above provides a general overview only and does not constitute legal advice. Readers are cautioned not to make decisions based solely on this material. Rather, specific legal advice should be obtained.
© McMillan LLP 2022
Add Comment