eloïse gratton toronto, october 26, 2015 privacy and mobile devices : is consent overrated?

Eloïse GrattonToronto, October 26, 2015

Privacy and mobile devices :Is consent overrated?

Part IUsing location in 2015

mobile privacy concerns in 2003

e911

Location technology

Location technology: network based, GPS, hybrid

2015: Location technology now includes wi-fi, web beacons, etc.

Types of location-based services

Sponsored services (proximity services, mobile dating, etc.) delivered by sms

2015: Sponsored services + social networks (Facebook, Foursquare, etc..) delivered via mobile devices

Profiling opportunities

Different type of location-based advertising static profiling real-time profiling dynamic profiling

2015: Big Data, social networks, mobile devices are now connected to the web (linked to OBA), convergence in technologies

Express consent as preferred approach

Mobile device is a personal device + location information is sensitive Opt-in consent as the preferred approach +

challenges (small screen, limited space)

2015: Screen is larger, but consent still raises concerns…. (Part II)

Part IIRemaining legal challenges

Challenges with “notice and choice” approach

Individuals typically…

get privacy defaults wrong

disseminate content more broadly than they intended or is advisable for their own good

struggle to keep up with the technological developments

“Superuser” vs. average user

In determining whether a commercial representation is false or misleading, the general impression of an advertisement should be assessed through the perspective of an "ordinary hurried purchasers," "relatively unsophisticated" and "not particularly experienced at detecting the falsehoods or subtleties found in commercial representations."

(Richard v. Time Inc., 2012 SCC 8)

PIPEDA Report of Findings #2014-008

• Agreement to an app’s “permissions” does not, by itself, equal consent to collect, use and disclose personal information - Google encouraged to provide users with greater clarity to avoid misperception

Lessons Learned

Consent must be meaningful; mobile app developers must inform users about how they collect, use and disclose personal information via their apps. More information about online consent.

Privacy practice transparency can be greatly enhanced by providing privacy information to users at key decision points (i.e. by using “just-in-time” notifications).

Gad Albilia v. Apple Inc.

• [9] The Petitioner claims that personal identifiable information concerning each of the Class Members was collected through the Apps and was transmitted, without their knowledge or permission, to third parties, for purposes wholly unrelated to the use and functionality of their iDevices or the Apps.

• [10] The information collected would have included Class Members’ precise home and workplace locations and current whereabouts; unique device identifier (UDID) assigned to Class Members’ iDevice; personal name assigned to the device; Class Member’s gender, age, postal code, and time zone; as well as App-specific activity such as the functions Class Members performed on the App; search terms entered; and selections of movies, songs, restaurants, etc…;

Subjectivity in Consent

The form of the consent sought by the organization may vary, depending upon the circumstances, the type of information and the sensitivity of the information.

Under PIPEDA, in obtaining consent, the “reasonable expectations” of the individual are also relevant.

19

20

PIPEDA Report of Findings #2015-001

data on users’ TV + web habits + telephone patterns.

“It won’t mean you’ll see more ads, but you’ll see better ones.”

(Wade Oosterman, president of Bell Mobility and Residential Services.)

21

PIPEDA Report of Findings #2015-001: Opt-out consent not adequate

Sensitivity of Information: using sensitive URLs for the purpose of generating customer profiles sheer breadth of information used for the RAP (internet, telephone

and television network usage information, account/demographic information), more sensitive when compiled.

Reasonable Expectations of Bell Customers: using information already collected for new secondary purpose delivers paid services is enabling the delivery of third-party ads is a telecommunications service provider to whom users must entrust

vast amounts of their sensitive personal information in order to gain access to mobile, internet, telephone services.

22

Very short timeframes available for society, and the law, to react to technological innovation

Is consent overrated?

“Today’s privacy crisis is a function of innovation that happens too quickly. Given the accelerating pace of new information technology introductions, new uses of information often appear suddenly, perhaps overnight. Still, after the initial panic, we almost always embrace the service that once violated our visceral sense of privacy. The first reaction, what I call the “creepy factor,” is the frontier response. It doesn’t last long. The Puritans reassert their rational order more quickly all the time.”

(Larry Downes, Policy Analysis, “A Rational Response to the Privacy “Crisis”, Jan 2103)

“the success of the Internet has, in large part, been driven by the freedom to experiment with different business models, the best of which have survived and thrived, even in the face of initial unfamiliarity and unease about the impact on consumers.”

(Remarks of Commissioner Maureen K. Ohlhausen, Consumer Electronics Show, Promoting an Internet of Inclusion: More Things AND More People, at 1, 2014)

Thank you!

Eloïse Gratton

Partner and National Co-Leader, Privacy and Data Security

+514.954.3106

egratton@blg.com