Tim Hortons app violated privacy laws, collected "vast amounts" of Canadians' data

Jun 1 2022, 5:19 pm

A troubling new investigation has found that the Tim Hortons app violated privacy laws and collected “vast amounts” of sensitive location data over the past few years.

A joint investigation by the Office of the Privacy Commissioner of Canada and independent studies from Quebec, British Columbia, and Calgary were made public on Tuesday, concluding a nationwide investigation that first began in June of 2020.

In an email shared with Daily Hive, the investigation says people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open.

The report concluded that Tim Hortons’ “continual and vast collection of location information” was not proportional to the benefits the company may have “hoped to gain” from the in-app promotion of its coffee and other products.

The Tim Hortons app asked for permission to access the mobile device’s geolocation functions but “misled many users to believe the information would only be accessed when the app was in use.” In reality, the app tracked users while the device was on, continually collecting their location data.

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers,” says Daniel Therrien, the Privacy Commissioner of Canada. “Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.”

The Tim Hortons app also used location data to figure out where users lived, worked, and whether or not they had been travelling. It generated an “event” every time users entered or left a Tim Horton’s competitor, a major sports venue, or their home or workplace.

The two-year-long investigation uncovered that Tim Hortons collected “vast amounts” of location data a year after dissolving its plans to use data for targeted advertising, even though the report concluded it had “no legitimate need to do so.”

In response, the company says it only used location data in a “limited way,” specifically to analyze user trends, whether they switched to other coffee chains, and how customers’ movements changed throughout the pandemic.

Location data has become highly sought after in recent years as it can reveal where people live and work, can detail people’s trips to medical clinics, give deductions about religious beliefs, sexual preference, social-political affiliations, and much more.

All four privacy authorities (the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Office of the Information Privacy Commissioner of Alberta, and the Office of the Information and Privacy Commissioner for British Columbia) have released four recommendations for what Tim Hortons should do next:

  • Delete any remaining location data and direct third-party service providers to do the same.
  • Establish and maintain a “privacy management program that includes privacy impact assessments for the app and any other apps it launches.
  • Create a process to ensure information collection is necessary and proportional to the privacy impacts identified.
  • Ensure that privacy communications are consistent with and adequately explain app-related practices and report back with the details of measures it has taken to comply with the recommendations.

The investigation says Tim Hortons has “taken measures” to resolve the newly revealed issues.

Ty JadahTy Jadah

+ Dished
+ News