Canadian privacy regulators clarify requirements for mobile apps

Canadian privacy regulators clarify requirements for mobile apps

On June 1, 2022, the Office of the Privacy Commissioner of Canada and its provincial counterparts (the “Privacy Regulators“), published a joint investigation report (the “Report”) which clarified compliance expectations for mobile apps that collect location data from their users and process that data through third-party service providers.[1]

The report clarifies that the collection of location data must be carried out for an appropriate purpose, after obtaining valid consent. The report also clarified which contractual terms with service providers are sufficient and necessary to protect such location data. The report further highlights the sensitivity of location data and the need for companies that process personal information to have a robust privacy management program in place.

Collect or use personal information only for appropriate purposes

Privacy regulators have concluded that targeted advertising may not be an appropriate purpose to justify the collection and use of sensitive location data. They consider granular location data to be sensitive in nature, as it can be used to determine where an individual lives and works with relative ease. Additionally, granular location data can indicate an individual’s religion, medical treatments or illnesses, sexual preferences, social and political affiliations, etc., revealing visits to certain religious or medical institutions, for example .

In assessing whether personal information has been collected or used for an appropriate purpose, privacy regulators and courts consider a number of factors, including:

1. whether the objective represents a legitimate business need;
2. whether there are less privacy-invasive means of achieving the same ends; and
3. whether the loss of privacy for individuals is proportional to the benefits obtained by an organization.

In these assessments, courts have asked privacy regulators to “balance of interests” between the individual’s right to privacy and the business needs of the organization involved.

The above factors are applied flexibly and contextually. Therefore, while privacy regulators have concluded that targeted advertising does not justify the collection of sensitive location data in this case, they have recognized that it may be an appropriate purpose for collecting personal information in certain circumstances.

Obtain valid consent for the collection of location data

Privacy officers have noted that individuals cannot be compelled to consent to the collection, use or disclosure of personal information where the purpose is not appropriate.

The report indicated that the following factors were relevant in determining whether valid consent for the collection and use of location data was obtained:

• whether users have been informed that the organization will collect their location data even when an application is closed;
• whether the statements mislead users into believing that the organization would only collect location data when an app was open; and
• whether the organization has ensured that users understand the consequences of consenting to the continued collection of location data in the background.

Implement contractual terms with third-party service providers that offer adequate protections

Under Canadian privacy laws, organizations are not only responsible for personal information under their control. They are also required to implement contractual or other measures to protect personal information that third-party service providers process on their behalf.

For example, in the report, privacy regulators determined that the organization could not authorize a third-party service provider to use location data collected by an app for its own commercial purposes. This includes use for development, diagnostic, or remedial purposes other than necessary to provide the services in question, or use or disclosure of any personal information, even in aggregated or anonymized form, in connection with the activity of the service provider.

Privacy regulators have taken note of the current digital marketing ecosystem, in which valuable location information is often gathered by apps and leaked to data aggregators, who may in turn compile that information, combine it with information available from other sources and potentially re-identifying otherwise anonymized information. They looked at how location data is often collected and sold, which, because individuals can be easily identified by their movements, presents a real risk of re-identification and use by third parties for unintended purposes. . In particular, privacy regulators have found that accurately tracking smartphone movements can allow data aggregators to create comprehensive profiles for targeted marketing and advertising. Simply removing other identifiers from data provided to third parties is not sufficient to protect an individual user’s privacy and does not relieve an organization of its obligations to implement strong contractual safeguards.

This does not mean that it would be inappropriate, in all circumstances, for a service provider to use personal information for its own internal purposes, where valid consent has been obtained. However, in such circumstances, privacy regulators consider that contractual terms should be clear and unambiguous, contain appropriate definitions (for example, for personal information and anonymized data) and clearly delineate responsibilities between parties. to ensure that meaningful consent is obtained from individuals. .

Take away food

The report reiterates the importance of a strong privacy and compliance program, including ongoing training and review. Here are three helpful takeaways from the report for organizations that process personal information:

• Location data can be very sensitive. Persistent and granular smartphone location data can be very sensitive, given the ability of this data to reveal sensitive personal information about an individual. As the Office of the Privacy Commissioner’s interpretation bulletin on sensitive personal information indicates, as information becomes more sensitive, it is subject to an even higher standard of informed consent and appropriate protective measures.[2]
• Targeted advertising may not be considered an appropriate purpose for collecting sensitive location data. The report concluded that while targeted advertising may be appropriate in certain circumstances, its purpose may not be proportionate to the loss of individual privacy caused by the persistent collection of smartphone location data.
• Contracts with service providers should protect personal information. Privacy regulators have clarified some of their expectations regarding contracts with service providers. These contracts should (i) be clear and unambiguous about how personal information may or may not be used by the service provider, (ii) define each party’s responsibilities to ensure that meaningful consent is obtained, and (iii) include clear definitions of personal information or de-identified information consistent with applicable laws.

If you have any questions about the report, location data collection, contractual requirements in service provider contracts, or Canadian privacy laws more generally, a member of our Privacy and Data Protection Group will be happy to help you.

[1] Office of the Privacy Commissioner of Canada, PIPEDA Findings #2022-001 (June 1, 2022), Available here.

[2] Office of the Privacy Commissioner of Canada,Interpretation bulletin: sensitive information(May 2022), available here.

by Robert Piasentin, Robbie Grant and Kristen Shaw

Caution

The above provides an overview only and does not constitute legal advice. Readers are cautioned not to make any decisions based solely on this material. Rather, specific legal advice should be obtained.

© McMillan LLP 2022