Apple called upon to be more open about its collection and use of information for downloads
PIPEDA Case Summary #2014-007
April 22, 2014
Lessons Learned
- The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization, and that information shall be collected by fair and lawful means.
- An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Organizations must be open about their policies and practices with respect to the management of personal information. Individuals must be able to acquire information about an organization’s policies and practices without unreasonable effort.
An individual alleged that he was unnecessarily required to provide payment information and his date of birth for downloading a free application from the Apple Canada Inc. (“Apple”) website because of Apple’s requirements for creating an Apple ID.
Our investigation found that all customers must have an Apple ID to access online services, such as downloading applications. After discussing Apple`s requirements for creating an Apple ID, we accepted the organization’s argument that it must reliably authenticate, differentiate and verify its several million Canadian customers and that using a birth date for this purpose is an acceptable practice. However, after our discussions with Apple we noted that its privacy policy did not fully identify the purposes for which it collects personal information from users (specifically, Apple’s collection of date of birth information for the purposes of authentication). We raised this issue with Apple, and it subsequently agreed to revise its privacy policy. As a result, this aspect of the complaint was deemed well-founded and conditionally resolved, pending implementation of our recommendation.
With regard to the collection of financial information, Apple affirmed that there were online instructions in the website’s support section for users on how to download free applications without providing payment information. Apple further asserted that these instructions could be found by using the search term “credit card” in its website’s search engine.
Our Office’s technical analysis ─and our review of hundreds of comments posted by similar frustrated users in an Apple open forum─led to our view that Apple was not making information about its policies and practices concerning the collection of credit card information clearly and directly accessible to individuals at the relevant point in time (i.e., at user registration). We were concerned that Apple’s practices could result in the over-collection of sensitive payment information.
We deemed this aspect of the complaint to be well founded, and recommended that Apple clearly communicate to users that a form of payment is not required when registering for an Apple ID for the purpose of downloading a free application. We recommended that Apple could achieve this by adding the option of proceeding without the need to supply payment information at every point of registration. In response to our final report of findings, Apple agreed to our recommendation. In the end, we were very pleased with Apple’s commitment to users in agreeing to address the issues stemming from our investigation.
To read more about this case, you can refer to Annual Report to Parliament 2013 - Report on the Personal Information Protection and Electronic Documents Act.
- Date modified: