Canadian privacy regulators clarify requirements for mobile applications

Canadian privacy regulators clarify requirements for mobile applications

July 6, 2022 4-minute reading privacy law bulletin

On June 1, 2022, the Office of the Privacy Commissioner of Canada and its provincial counterparts (the “privacy regulators”) released a joint investigation report (the “report”) that clarified expectations. compliance of mobile applications that collect location data from its users and process that data through third-party service providers.[1]

The Report clarifies that the collection of location data must be done for an appropriate purpose, after obtaining valid consent. The Report also clarifies which contractual terms with service providers are sufficient and necessary to safeguard this location data. The Report also highlights the sensitivity of location data and the need for companies that manage personal information to have a solid privacy management program.

Collect or use personal information only for a proper purpose

Privacy regulators concluded that targeted advertising may not be an appropriate purpose to justify the collection and use of sensitive location data. They consider granular location data to be sensitive in nature, as it can be used to determine where an individual lives and works with relative ease. In addition, granular location data can indicate a person’s religion, medical treatments or illnesses, sexual preferences, social and political affiliations, and more, revealing visits to certain religious or medical institutions, for example.

To assess whether personal information was collected or used for an appropriate purpose, privacy regulators and courts take into account a number of factors, such as:

1. whether the purpose represents a legitimate need of the company;
2. whether there are less invasive means of privacy to achieve the same goals; i
3. if the loss of people’s privacy is proportional to the profits made by an organization.

In conducting these assessments, the courts have asked privacy regulators to strike a “balance of interests” between the individual’s right to privacy and the business needs of the organization in question.

The above factors are applied flexibly and contextually. Accordingly, although privacy regulators found that targeted advertising did not justify the collection of sensitive location data in this case, they recognized that it could be an appropriate purpose for the collection of personal information in some circumstances.

Obtain valid consent for location data collection

Privacy regulators have taken into account that individuals may not be compelled to consent to the collection, use or disclosure of personal information when the purpose is not appropriate.

The Report identified the following factors as relevant when considering whether valid consent was obtained for the collection and use of location data:

• whether users were informed that the organization would collect their location data even when an application was closed;
• whether the statements lead users to think that the organization would only collect location data when an application was open; i
• whether the organization ensured that users understood the consequences of consenting to the continuous collection of background location data.

Implement contractual terms with third-party service providers that provide adequate protections

Under Canada’s privacy laws, organizations are not only responsible for personal information under their control. They are also required to implement contractual or other measures to protect personal information that third-party service providers process on their behalf.

For example, in the report, privacy regulators determined that the organization could not allow a third-party service provider to use location data collected by an application for its own business purposes. This includes use for purposes of development, diagnosis or corrections other than those necessary for the provision of the services in question, or to use or disclose any personal information, even in an aggregated or unidentified manner, in connection with the business of the service provider.

Privacy regulators took note of the current digital marketing ecosystem, in which applications often collect valuable location information and disclose it to data aggregators, who in turn can collect this information, combine it with available information. from other sources and potentially re-identify it. otherwise, unidentified information. They considered how location data is often collected and sold which, as individuals can be easily identified by their movements, poses a real risk of being re-identified and used by third parties for unwanted purposes. In particular, privacy regulators found that accurate tracking of smartphone movements can allow data aggregators to create complete profiles for targeted marketing and advertising purposes. The mere removal of other identifiers from data provided to third parties is not sufficient to protect the privacy of an individual user and does not relieve an organization of its obligations to implement sound contractual guarantees.

This is not to say that it would be inappropriate, in all circumstances, for a service provider to use personal information for its own internal purposes, when valid consent has been obtained. However, in these circumstances, privacy regulators consider that the contractual clauses should be clear and unambiguous, contain appropriate definitions (for example, for personal information and unidentified data) and clearly delineate responsibilities between the parties to ensure that significant consent is obtained from the people. .

Takeaway food

The report serves as a reminder of the importance of a strong privacy protection and compliance program, including ongoing training and review. Here are three useful findings from the report for organizations that manage personal information:

• Location data can be very sensitive. Persistent and granular location data from smartphones can be very sensitive, given the ability of this data to reveal sensitive personal information about a person. As stated in the privacy statement of the Office of the Privacy Commissioner on sensitive personal information, as the information becomes more sensitive, it attracts a correspondingly higher standard for informed consent and appropriate safeguards.[2]
• Targeted advertising may not be considered an appropriate purpose for collecting sensitive location data. The Report concluded that while targeted advertising may be appropriate in some circumstances, the purpose may not be proportionate to the loss of individual privacy caused by the persistent collection of location data from smartphones.
• Contracts with service providers should protect personal information. Privacy regulators made clear some of their expectations for contracts with service providers. These contracts should (i) be clear and unequivocal about how personal information may or may not be used by the service provider, (ii) delineate the responsibilities of each party to ensure that meaningful consent is obtained, and (iii) include definitions. clear personal information. or unidentified information that is consistent with applicable laws.

If you have any questions about the report, location data collection, contractual requirements for service provider contracts, or Canadian privacy laws in general, a member of our data protection and privacy group will be happy to help you.

[1] Office of the Privacy Commissioner of Canada, PIPEDA Findings # 2022-001 (June 1, 2022), available here.

[2] Office of the Privacy Commissioner of Canada, “Interpretation Bulletin: Sensitive Information,” (May 2022), available here.

by Robert Piasentin, Robbie Grant and Kristen Shaw

A warning note

The above only provides an overview and does not constitute legal advice. Readers are cautioned not to make any decisions based solely on this material. Rather, specific legal advice should be obtained.

© McMillan LLP 2022