What are you giving up when you allow an app to track your location? Where we go and when we go there – can be used to infer what we do and who we see. Your location can be used to infer your religious beliefs, social and political affiliations, sexual preferences, and medical illnesses or treatments.
The recent US Supreme Court decision overturning Roe v. Wade has not only trampled on the privacy rights and rights to bodily integrity of many, but it has also opened up businesses to potential liabilities. If served with a broad location-based order to turn over data (sometimes known as a “geofencing warrant”), a company may be required to turn over data to an authority or face liabilities.
Closer to home, the Federal and Provincial Privacy Commissioners released a report highly instructive of the care companies need to take while collecting data. The report is the result of a detailed joint investigation into location tracking by the Tim Hortons mobile application, sparked by a National Post article.
The Commissioners found that the app recorded the home, office, and travelling habits of up to 1.6 million users. While not suggesting any intentional wrongdoing, the report offers clear lessons to include privacy considerations in the planning, development, and management of mobile applications.
Less is more.
The Commissioners identified the purpose for collecting the information was to provide targeted advertising and better promote its coffee and associated products. While this can be a valid use for collecting personal information, the report identified that the information collected, being detailed location information about individuals even when the app wasn’t being used, went well beyond what would be necessary to provide geo-targeted advertising or to promote coffee and associated products.
The lesson: keep data collection to a minimum.
The report identified several errors in what the app presented to users when it sought consent, including the extent and the purpose for which information was collected. Both the consent sought and the FAQ misstated that the location data was collected only when the app was open or in the foreground. Users of the app were not informed of the consequences of their consent, including the frequency of data collection. One user reported the app recording their exact location more than 2700 times over five months. For valid consent to be obtained, users need to be informed of the extent and intended use of their data.
Use it or lose it.
The report identified that the consequences of the app’s collection of personal data was a loss of privacy not proportional to the benefits of better promotions. While targeted advertisements are not an inherently inappropriate use for data, a reasonable person would not consider it appropriate in this circumstance based on the amount of data collected. In addition, Tim Hortons never used the information for targeted advertising. The report concluded that Tim Hortons did not have a need or legitimate business interest in this data. The amount of data must be reasonable for the business to achieve a bona fide (i.e. legitimate) business interest.
The lesson: ensure that the use of the information collected is reasonable.
The customer comes first.
The lesson: update the information collected as needs and plans change.
Trust, but verify.
One of the issues that the Commissioners raised had to do with the contracts between Tim Hortons and one of its third-party service providers, referred to as “Radar.” The Commissioners found that the contracts contained vague and permissive language that could have allowed Radar to use the location data for its own purposes. Third-party service providers may have access to multiple sources of data that would allow such service providers to build a far more detailed profile of consumers than would be possible with just one data source. A business has a responsibility to protect personal information collected from its users, and this includes having adequate protections in contracts with third parties.
The lesson: carefully review agreements with third-party service providers and others.
De-identified data isn’t.
De-identified data can always be re-identified, often trivially. For example, in this case, the data collected identified the homes and offices of individuals. It often doesn’t take much to re-identify data, either with or without outside data. It is not reasonable nor sufficient to treat de-identified or aggregated data as if it doesn’t contain personal or sensitive information. De-identified data must be treated carefully, particularly where it may contain highly sensitive data.
The lesson: “de-identified” data doesn’t absolve responsibility for privacy.
Overcommunicating isn’t a thing.
While much of the legal concern of privacy law has to do with communication with end-users and seeking informed consent, equally important is the internal communication between project managers, developers, legal advisors, and third-party service providers. Many of the issues identified may have been avoidable with clear communication between internal stakeholders and managers and properly managing changing goals and requirements. For example, communicating to developers to turn off certain features when they were no longer required may have avoided many of the issues identified.
The lesson: communication, communication, communication.
As users of smartphones become savvier, we’re starting to see some positive moves in the tech world. Apple now has taken initial steps towards App Tracking Transparency and, in the wake of the overturning of Roe v. Wade, some US-based companies are taking steps to either stop tracking location data or, as Google has recently announced, delete user’s location data at certain locations, including abortion clinics, to avoid future liability.
Keeping both users and stakeholders, internal and external, informed is important to business practices where privacy is concerned.