In his last milliseconds as commissioner, Daniel Therrien took a big swing at a Canadian icon — Tim Hortons. He might as well have used the giant canoe paddle the IAPP gave him as a gift of thanks for his term. Apparently, he likes Starbucks, but I imagine it had more to do with privacy practices than the flavor of their brew.
A few takeaways from the Report of Findings:
- It was a collaborative and joint investigation among the four data protection authorities with jurisdiction over the private sector. I think we can expect more of this and, quite frankly, I think it’s good because the more harmonization and consistency across jurisdictions, the better.
- The major fault by the coffee and donut giant was that its application collected vast amounts of location data without consent and exceeding what would be considered reasonable.
- The report also stressed that location data can be quite sensitive — we certainly saw some folks get excited about this issue with the whole mobility data affair that resulted in Parliamentary hearings not too long ago.
- Notice and choice need to be clear and obvious — and apps trying to collect more than they should isn’t a new thing.
- Pay close attention to — and build in protections — in contracts with third-party providers, the devil’s in the details.
- Just because everyone loves your coffee and donuts (I’m partial to the glazed crullers) doesn’t give you a free pass.
Anyway, I invite you to read the report as you enjoy your Tim’s or Starbucks or Little Victories — that’s an amazing little coffee shop in Ottawa, by the way.
And in the meantime, perhaps by the time this is out (because I send it in on Thursday) there will be a new commissioner at the helm of the Office of the Privacy Commissioner, giving us new fodder for this space.