Be Careful With Location Tracking
Does your app use location tracking? Do you use or retain that data? If so, you could be in violation of privacy frameworks such as Europe’s GDPR, California’s CCPA, or other countries’ privacy laws. A recent ruling out of Canada’s Office of the Privacy Commissioner hammers this point home.
Canadian investigators found that the Tim Hortons coffee chain's mobile app tracked and recorded customers’ "movements… every few minutes of every day," even when the app wasn't open. This tracking violates Canada’s privacy laws. "The Tim Hortons app asked for permission to access the mobile device's geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data… The app also used location data to infer where users lived, where they worked, and whether they were traveling," the ruling stated. "It generated an 'event' every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace."
Tim Hortons canceled plans to use the app for targeted advertising but "continued to collect vast amounts of location data" for another year "even though it had no legitimate need to do so," the Office of the Privacy Commissioner said. Tim Hortons said it used aggregated location data "to analyze user trends—for example, whether users switched to other coffee chains, and how users' movements changed as the pandemic took hold," the office said.
The announcement said Tim Hortons agreed to "delete any remaining location data and direct third-party service providers to do the same," implement a privacy program that "includes privacy impact assessments for the app and any other apps it launches," implement "a process to ensure information collection is necessary and proportional to the privacy impacts identified," and ensure "that privacy communications are consistent with, and adequately explain, app-related practices." Tim Hortons also agreed to report back to the government with details on its compliance.
The data that Tim Hortons collects is very commonly used for targeted advertising. That said, “internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics” are considered “personal Information” under frameworks like the CCPA. A developer must obtain approval from users before collecting this information, and must disclose to users how their data will be used. Failure to do so can result in damage to your brand, administrative penalties, and even litigation.
Do you have questions about how to safely comply with CCPA, GDPR, and other privacy frameworks? Let’s talk.