Canada: OPC publishes recommendations for businesses to protect consumers privacy on mobile apps
On June 29, 2023, the Office of the Privacy Commissioner of Canada (OPC) published a blog offering advice to businesses on how to protect the privacy of customers using their mobile apps, to mark the one-year anniversary of its investigation into Tim Hortons Inc.. In particular, the OPC highlighted ten best practices surrounding appropriate purpose, consent, and further expectations to aid businesses in their compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA).
When developing a mobile app, the OPC provided that businesses should take into account whether a reasonable person would consider the purposes for collecting, using, or disclosing user data to be appropriate in the circumstances. In addition, the OPC highlighted that businesses should only collect information that they legitimately need, noting that where a business decides to stop using the data, they should stop collecting it and delete any data that is no longer required.
Moreover, the OPC outlined specific factors to evaluate whether a purpose will be in compliance with PIPEDA.
Specifically on consent, the OPC clarified when express consent will be needed, as well as how to ensure meaningful consent. To this end, the OPC recommended that businesses provide a clear and prominent explanation upfront about key elements of the business' privacy practices, including:
- what user data will be collected via the app, and when/whether the app will continue to collect the user's data when the app is closed;
- with whom user data will be shared;
- why that information is collected; and
- any meaningful risk of harm or other negative consequences that could result.
The OPC recommended that when transferring personal data to a third party for processing, businesses should review contracts carefully and ensure the processor understands their obligations with regard to the use of personal data.
More generally, the OPC noted that businesses should implement a privacy management program when planning to collect, use, or disclose personal information via an app. This includes carrying out privacy impact assessments to identify any risks and implementing mitigation measures to adequately protect app users' personal data.
You can read the blog post here.