If you're planning to track your customers' movements through a mobile app, you'd better have a good reason for doing so and obtain meaningful consent from your users - or risk running afoul of privacy laws.

On June 1, the Office of the Privacy Commissioner of Canada released a report that found a restaurant chain's mobile app violated privacy laws by improperly collecting "vast amounts of location data" from users. The report was based on a joint investigation by the Privacy Commissioners of Canada, British Columbia, Quebec and Alberta.

According to the report, the app in question tracked and recorded the movements of users every few minutes of every day, even when the app wasn't open. Users were being surveilled as long as their device was turned on.

App Misled Many Users About Surveillance: Report

The investigation considered whether the app's owner had a reasonable purpose for constantly tracking the location of users, and whether the owner had obtained meaningful consent to collect such data - topics we have covered in previous blogs.

The report found the app owner initially planned to use users' location data for targeted advertising. That plan was eventually abandoned - but the app continued collecting users' data for another year.

By constantly monitoring the location of users, the app gleaned information on where users lived, where they worked and where they travelled. The app also created "events" when users visited certain competitor restaurants and large sports venues.

Location data can reveal highly personal information, the Privacy Commissioners noted. This includes information about the medical service providers a person uses, as well as information that may reveal a person's religion, sexual preferences and political affiliations.

The report also found that the contract the app owner signed with a third-party location services provider would have allowed the third party to use "de-identified" location data for its own purposes - even though people can easily be identified by their movements.

The Privacy Commissioners found that the app did not have a reasonable purpose for constantly monitoring users' location data and that the app owner had not obtained meaningful consent from users. Although the app asked for permission to access a user's geolocation, it misled many users into believing that their movements would be tracked only when the app was open.

"Following people's movements every few minutes of every day was clearly an inappropriate form of surveillance," Daniel Therrien, Privacy Commissioner of Canada, said in a statement. "This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians."

"You Can't Spy on Your Customers"

The Privacy Commissioners concluded that the app owner did not have a robust privacy management program in place for its app. Such a program would have allowed the company to identify and assess the various privacy issues uncovered by the investigation, the Commissioners said.

The Commissioners recommended that the app owner delete any remaining location data for its customers, direct third-party service providers to do the same and implement a privacy management program to prevent similar privacy contraventions going forward. The company agreed to comply with the recommendations and report back with details on the measures it has taken.

"This investigation sends a strong message to organizations that you can't spy on your customers just because it fits in your marketing strategy," said Michael McEvoy, Information and Privacy Commissioner for British Columbia. "Not only is this kind of collection of information a violation of the law, it is a complete breach of customers' trust."

Are You Tracking Your Users' Movements?

If your organization has a mobile app that tracks users' movements, there are steps you must take to comply with applicable privacy laws and protect your users' data. A privacy management or compliance program including a privacy assessment of your app is required to confirm that your app is compliant with applicable privacy and other laws, including to ensure your data collection has a reasonable purpose and that you have meaningful consent from users.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.