Mobile apps: What businesses should know a year after the Tim Hortons data tracking scandal

( Disponible en anglais seulement )

12 juillet 2023 | David Krebs, Kristen Ward

Many businesses are tapping into the digital economy by creating mobile apps to enhance customer experience, build brand awareness, and boost marketing outcomes, which often includes collecting (sometimes very detailed) information from users. However, creating and deploying these apps comes with responsibility and accountability regarding the collection and use of user personal information. Non-compliant privacy practices can tarnish brand reputation and expose companies to regulator and public scrutiny.

This was Tim Hortons’ experience last year, when a joint investigation by the Office of the Privacy Commissioner of Canada (“OPC”), the Office of the Information and Privacy Commissioner of Alberta, the  Office of the Information and Privacy Commissioner of British Columbia, and the Commission d’accès à l’information of Quebec (collectively, the “Commissioners“) found that the Tim Hortons app was collecting vast amounts of users’ geolocation data every few minutes. The app requested permission to use mobile device location information but misled users to believe that geolocation data would only be collected while the app was activated. Rather, each customer’s location was being tracked without their knowledge or consent even  when the app was closed. A report of the Commissioners’ findings found that the collection of (sensitive) geolocation information resulted in a loss of customers’ privacy that was disproportionate to any benefits that the company could gain from improving the promotion of its coffee and products.

In a recent blog post of the OPC, they state that they are now satisfied that Tim Hortons has met its commitments and implemented recommendations that flowed from the findings of the investigation. More importantly however, on the first anniversary of the investigation the OPC also released key takeaways for businesses when it comes to mobile app privacy, which are summarized below. Our main takeaways from the OPC’s blog are this:

  • Collection of personal information must be reasonable given the level of sensitivity and benefits to consumer/user;
  • Get specific and explicit consent where required;
  • Use plain language to explain privacy and data collection practices; and
  • Maintain a robust and relevant privacy program to support the app.

Summary of OPC’s takeaways

Assess the purpose of the app’s data collection:

Is it appropriate?

When developing a mobile app, businesses should assess whether the purposes for collection, use or disclosure of personal information is appropriate and reasonable in the circumstances, even if there is consent. This is a contextual assessment that should ask whether a reasonable person would consider the purpose to be appropriate.

User apps should only collect information that is legitimately needed, and should only collect data when it is needed. App developers should not be collecting personal information that is not going to be used or that the business is not ready to use. If a business is collecting personal data that is not being used, collection of that data should cease and the data should be deleted.

Does the purpose comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”)?

Consider the purpose of the data collection and evaluate if it complies with PIPEDA by evaluating the following:

  • How sensitive is the personal information you are proposing to collect?
  • Does the purpose in collecting data align with a legitimate need or business interest?
  • Is the collection, use and disclosure of data effective in meeting that business need or interest?
  • Are there any less-privacy invasive means of achieving the same result?
  • Does the purpose of collecting data result in a disproportionate loss of privacy?

A key message is that without an appropriate purpose to collect data, consent does not render the collection, use or disclosure of an app user’s personal information compliant with PIPEDA.

Get informed consent from app users:

Express and specific consent

Mobile apps should ask for express consent from users before collecting, using or disclosing user data  that is likely to be considered sensitive.  Express consent is also required if the app user would not reasonably expect the practice, such as when a business plans to disclose personal information for a purpose unrelated to the user’s reason in downloading the app.

If the collection of data is not integral to the primary functionality of the app, provide users with a clearly explained and easily accessible choice of whether to consent to the collection and use of their data. Where express consent is required, such as with sensitive geolocation, the choice to consent to the collection and use of data should be opt-in.

Are explanations consistent and transparent?

Consent requires the user to be informed of the scope of data collection and its implications. Businesses should explain their practices and how they will use personal information in a way that is understandable, comprehensive and accessible to app users who wish to read that explanation in full. The explanation and stated purpose of data collection must be consistent with how that information will actually be used.

A clear and prominent explanation about key elements of the businesses’ privacy practices should be provided at the point where the user decides whether to consent or not. Key elements can include:

  • What user data will be collected via the app and when the app will collect that information;
  • With whom the data will be shared;
  • Why the app collects personal information; and
  • Any meaningful risks of harm or negative consequences that could result.

Implement robust privacy policies and provisions:

Are there contractual safeguards with third parties?

Organizations have an obligation to ensure service providers adequately protect privacy, limit use and limit the disclosure of data being transferred to them. Contractual protections should be implemented to protect user personal information.

If transferring personal information collected from a user app to a third party for processing, review the contract carefully. Ensure that clear terms are used so that the processor understands its obligations when processing the data  and that the business and third party both agree what the processor can and cannot do with the information.

Does the business have an adequate privacy management program?

Businesses should implement a robust privacy management program if they plan to collect, use or disclose personal information via an app. This will ensure that privacy is built in up front and that the app complies with privacy requirements.

A robust privacy program  incudes carrying out privacy impact assessments to determine any risk associated with the businesses intended use of data, and implementing measures to mitigate those risks and protect app users personal information.

If you have any questions or concerns, please reach out to a member of Miller Thomson’s Privacy team.

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d’autres sources et nous ne garantissons pas son exactitude. Cette publication n’est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d’information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à [email protected].

© Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu’aucune modification n’y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à [email protected].