Is Your App Privacy Compliant? Four Key Questions

A report from Alberta’s Privacy Commissioner offers some key takeaways for app developers to consider to ensure compliance with applicable privacy laws.

On July 29, 2021, The Office of the Information and Privacy Commissioner of Alberta (the “Commissioner”) released a report on its investigation into Telus Health’s Babylon application (“Babylon”), which allows Albertans to access healthcare information and support in response to COVID-19.

The Commissioner’s report focused mostly on whether Babylon was compliant with the privacy requirements set forth in the Personal Information Protection Act (“PIPA”). While Babylon was found to be largely compliant with PIPA, the report identified a number of privacy considerations app developers should be aware of. Although the report is focused on PIPA, the privacy principles are similar across Canada and the guidance is helpful to app developers throughout Canada.

The following are some key questions to ask:

1. Is the Data You’re Collecting Reasonable?

If you collect personal information (i.e., essentially any identifiable information about individuals), applicable privacy laws requires you to consider whether the purpose for gathering the information is reasonable.

For example:

  • To provide users with non-medical digital healthcare services, it would be reasonable for users to indicate their symptoms – but not to input their full date of birth.
  • To provide users with clinical services, it would be reasonable to collect personal information to verify user identities, but copying and collecting government-issued identification and obtaining selfies of users would be unreasonable.
  • To recommend nearby healthcare providers, it would be reasonable to access the user’s location data, but determining a user’s location by their IP address would be unreasonable.

What is reasonable will depend on the nature of the services your app provides — but all personal information needs to be carefully reviewed to determine what is necessary. Collecting the minimum amount of information necessary is also an important risk mitigation tool (e.g. if you are subject to a privacy breach).

2. Are You Notifying Users of Why You’re Collecting Data?

It is important to clearly notify individuals of why you’re collecting their personal information under applicable privacy laws.

A privacy policy can be used to explain this to a user, but an app may fail to fulfill the notice requirements if users are notified via a lengthy, hard-to-read privacy policy that is viewed on a mobile device with a small screen. Consider a layered approach where key points are provided to users at the time of collection, with the details available in a privacy policy. Privacy policies themselves should be implemented in a way that makes them easy to access, navigate and understand.

3. Are You Notifying Users of Offshore Data Service Providers?

When an app has service providers around the world, descriptive policies and practices are crucial to comply with most privacy laws to ensure that appropriate notices and/or consents are obtained

If an organization uses a service provider outside of Canada to collect, use, disclose or store personal information, privacy laws typically require the organization to at least provide appropriate notice to users (e.g. to develop policies and practices that clarify which countries outside of Canada are handling the data and for what purposes).

This notice must typically be provided before or at the time of collecting or transferring the information, and it is typically required or recommended to provide the contact information for a person who is able to answer user questions.

Applicable privacy laws have different requirements and will need to be reviewed on a case-by-case basis to determine the exact requirements for a particular app.

4. Are You Obtaining Consent?

In many cases, applicable privacy laws require you to obtain clear, informed consent from users before collecting, using and disclosing their personal information. This consent can take three forms: express, deemed and opt-out:

  • Express Consent

In order for a user to give express consent, an app must paint a clear picture of what the user is agreeing to. If you’re relying on a privacy policy for express consent, you should consider whether users will be able to read and understand what they’re agreeing to on the devices they’re using.

  • Deemed Consent

In order to satisfy the requirements for deemed consent, you must demonstrate that the collection, use, or disclosure of a user’s personal information is for a particular purpose, and that the user provided the information voluntarily for that purpose. It must also be reasonable for a person to voluntarily provide the information you’re collecting.

  • Opt-Out Consent

Depending on the sensitivity of the personal information involved, opt-out consent may be appropriate. You may be able to satisfy the opt-out consent requirements if you provide users with an easy-to-understand notice of why you’re collecting, using and disclosing their personal information, and giving them a reasonable opportunity to decline or object. In most cases, opt-out consent is insufficient for sensitive data such as health or financial information.

As such, careful consideration must be given to how you implement the required privacy components into your app to ensure that you obtain valid and enforceable consent from your users.

Conclusion

Even when apps are developed with globally accepted standards and feedback from various jurisdictions, a one-size-fits all approach to applicable privacy laws is difficult. When launching an application, consulting with local privacy law experts can help you access new markets without violating privacy laws.

Contact our privacy and cybersecurity team if you’re launching an app and need help navigating your legal obligations.

This post is part of a blog series about moving your organization’s operations online. For more information regarding moving your organization’s operations online, please see our blog post series covering the legal risks that organizations should consider on an ongoing basis.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.