Canada’s Privacy Commissioners put location tracking on the ‎front burner

There has been a flurry of activity amongst provincial and federal regulators in Canada relating to privacy laws. Québec’s adoption of An Act to modernize legislative provisions as regards the protection of personal information (better known as Bill 64) on September 22, 2021 has captured the attention of businesses and professionals because of the significantly higher standards and requirements it promises to bring to Québec’s legal privacy framework in. Canada proposed (only to be postponed by a federal election) a wholesale revamp of the Personal Information Protection and Electronic Documents Act (PIPEDA) and just relaunched (with some important changes) its new proposed changes. Ontario has been rumbling about adopting its own provincial privacy laws, which would pre-empt PIPEDA in-province for Canada’s most populous province. British Columbia has recently amended its public sector privacy laws and is considering updating its private sector laws.

Against this backdrop, the recent publication of a report of findings issued jointly by the Office of the Privacy Commissioner of Canada and its provincial counterparts in Québec, Alberta and British Columbia serves as a reminder that companies doing business in Canada are already subject to strict obligations regarding the protection of personal information, and that neglecting those obligations can be perilous.

The investigation addressed certain privacy and information management practices of a well-known ‎coffee shop and restaurant chain. Specifically, the investigation focused on certain personal ‎information collection and disclosure practices in connection with the use of the business’s mobile ‎app. The Commissioners alleged that the mobile app unlawfully collected a ‎significant amount of personal information. Notably, the app would have collected location data at a ‎very high frequency, even when it was not being used. This data was then processed by a third-party ‎supplier based in the United States.‎  (Of note, the report notes that the chain permanently ceased collecting granular location data via the App for purposes of targeted advertising after becoming aware of the investigation.)

The Commissioners analyzed and addressed the following issues: (i) the reasonableness and ‎appropriateness of the collection of personal information in the circumstances; (ii) the validity and ‎sufficiency of the consent requested; (iii) the privacy protections included in contracts with third-party ‎suppliers; and (iv) the business’s privacy practices and policies.‎

• Reasonableness of the collection: The Commissioners were adamant that the app’s extensive collection of location data was not necessary for the stated purpose of improved service and targeted advertising. The data collected by the app (either on its own or combined with other data) could be used to deduce a wealth of information about the individual, including some highly sensitive information such as home address, workplace, and travel habits. (In a footnote, the report acknowledges that “Tim Hortons further clarified that it did not use the Radar Location Data to tailor or personalize marketing to groups or sub-groups of individuals, or to conduct targeted advertising more generally.”) The Commissioners concluded that the extensive collection of personal information was not justified for the purposes stated by the business, and was therefore unlawful. The Commissioners highlighted that such disproportionate and illegal data collection is a fundamental flaw that cannot be remedied even by having the individual’s consent. 
• Consent: The Commissioners criticized the business for not adequately informing users of how the data would be collected. Specifically, the business should have indicated that information would be collected in the background, even when the app was not in use. The consent sought was also deficient because of the lack of information surrounding the consequences of giving consent.  (Even apart from this investigation, most major app stores and phone ecosystems now enforce specific, opt-in permission requirements for the collection of location information in the background outside of use of the app - as many of us have experienced when needing to grant apps permissions for them to properly function as a result of new operating system updates).
• Contractual terms:  Although the commissioners did not conduct an in-depth review of them, the Commissioners also mentioned the contractual terms between the business and the supplier it had engaged to process this data. The Commissioners felt that the language in the clauses dealing with the use of data was too broad and could easily be interpreted to allow the supplier to use the data for its own business purposes, and not simply for the purposes dictated by and under the direction of the business. Even though the supplier did not in fact engage in such uses, the Commissioners nevertheless considered that the mere possibility that those uses might occur was in itself cause for concern. The report noted that it is theoretically possible to allow a third party to use the data collected for its own purposes, but that very clear and detailed consent for such uses must be obtained, which was not the case in this situation.
• Internal privacy management and policies: The Commissioners criticized the business for a lack of internal accountability relating to the management of personal information, and especially for not conducting a Privacy Impact Assessment before launching its application. Privacy impact assessments were not mandatory under any private-sector legislation in Canada (including Québec’s private-sector privacy law as it stood at the time of the investigation), but were nevertheless considered a good practice for evaluating the privacy implications of any new program or technology, and are strongly recommended by privacy commissioners. With the adoption of Bill 64 in Québec, privacy impact assessments will become mandatory beginning on September 22, 2023 in that province, and we expect similar requirements to be a popular topic for amendments to federal and provincial privacy laws across the country.

The report explained that the matter was ultimately settled conditionally by the business’s voluntary ‎adoption of the Commissioners' recommendations. However, the business will remain under ‎observation for the next 12 months for the Commissioners to confirm that it has complied with all its ‎commitments.‎

While this Commissioners’ report is not a final legally-binding judgment, we can draw several practical lessons from it:

• The scope of personal information collected must be proportionate to the stated purposes, as disproportionate collection is illegal even with the consent of the data subject;
• The consent request must be clear and transparent about the nature of the activities being pursued (including those of the third parties and suppliers who will have access to the data), in addition to how the data will be collected and the frequency of collection in cases where it occurs on a continuous basis following the initial collection. As always, Canadian privacy regulators expect there to be meaningful and informed consent;
• An organization that uses a third-party service provider to store or process personal information remains responsible for that information and for ensuring that the information is properly used and secured in the service provider’s hands. Written agreements with third-party suppliers must contain specific provisions regarding the supplier’s use of personal information: open-ended language or language that lends to interpretation should be avoided‎;
• Accessory communications that describe a company’s practices in privacy matters, including pop-up windows and FAQs, are an important source of information for the data subject and may be considered by authorities as sources that misrepresent to the data subject the privacy impact and implications of the company’s activities. All communications related to an enterprise’s privacy practices should therefore be examined to ensure that they are compliant.

‎The report's conclusions were reached on the basis of the privacy laws as they existed at the time of the investigation. However, Québec’s Bill 64 has significantly changed the ‎legal framework for the protection of personal information in Québec. Given the general consensus that Québec’s new legislation will be stricter in all significant respects than its former iteration, as well as the fact that amendments are afoot in every jurisdiction in Canada, these findings suggest a definitive strengthening of the protection of personal information in Canada in the years to come. We have seen the appetite of Canadian regulators and legislatures to amend their privacy legislation to include hefty penalties — Canada’s now-shelved-but-soon-to-resurface privacy amendments had a five percent worldwide turnover proposed penalty, and Québec’s Bill 64 imposes penalties of up to four percent of worldwide turnover for the preceding fiscal year.  Companies are well advised to conduct a comprehensive review of their privacy policies and practices to ensure they remain compliant.

The official press release as well as the Report of Findings can be consulted here.

Our team of privacy and personal information protection specialists can help you navigate these complex issues across Canada.

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.