Canadian privacy officials say Tim Hortons app constantly tracked geolocation
Popular Canadian fast food chain Tim Hortons has agreed to delete location data and create a privacy program for its app after Canadian officials released findings from an investigation of the company’s app.
The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta collaborated on an investigation of how Tim Hortons’ app operated.
The government bodies found that people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws.
The company reported in May that its app has about four million users, according to Canadian news outlet CBC. The privacy investigation began in 2020 after the The Financial Post first reported on the location data gathering.
Daniel Therrien, Privacy Commissioner of Canada, said Tim Hortons “clearly crossed the line” because it amassed “a huge amount of highly sensitive information about its customers.”
“Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians,” Therrien said.
The Tim Hortons app used location data to infer where users lived, worked, and whether they were travelling. It generated an “event” every time users entered and left their homes, entered and exited their office, or travelled. https://t.co/ZvPJnTx8CT pic.twitter.com/yx1q8dqQtH— OPC (@PrivacyPrivee) June 1, 2022
The fast food chain said it will ask third-party service providers to delete the location data it was given, conduct privacy impact assessments for the app and any other apps it launches, create a process to ensure information collection is “necessary and proportional to the privacy impacts identified” while also ensuring that privacy communications “adequately explain app-related practices.”
The company also has to report back to the government agencies with detailed descriptions of the measures they are taken to comply with the orders.
In a statement to The Record, a spokesperson for Tim Hortons said it cooperated with the privacy commissioners and is already worked on implementing some of the recommendations.
“It’s important to highlight the report does not require that any new changes be made to the Tim Hortons app and it also concludes that the geolocation data in question was never used for targeted advertising purposes,” the spokesperson said.
“In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts. Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app.”
The company claimed it never used the troves of geolocation data it collected for “personalized marketing for individual guests” and was only used “on an aggregated, de-identified basis” to study business trends.
Investigation w/ @CAI_Quebec, @BCInfoPrivacy, @ABoipc: People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws. https://t.co/uPRr9i8Zid pic.twitter.com/Cy2NWf4SnU— OPC (@PrivacyPrivee) June 1, 2022
But the privacy commissioner report disputed this statement, noting in its report that the company’s “continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.”
The report indicates that users were tricked into thinking the app would only track their location when the app was in use but it actually tracked them as long as their device was on.
That data was then used to figure out where users lived, worked and traveling trends, keeping track of every “time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.”
The company continued to collect the location data even after it ended plans to use the data for targeted advertising.
The report takes aim at what Tim Hortons claimed, noting that even after it stopped the continual tracking feature when the privacy investigation started in 2020, it continued its contract with an American third-party location services supplier.
The language in the contract was “so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its own purposes,” the commissioners found.
The report notes that it is incredibly easy to reverse engineer de-identified geolocation data to figure out the movements of users.
Information and Privacy Commissioner of Alberta Jill Clayton added that it is important people know what will happen to their personal information when they download and use apps like Tim Hortons’.
“This investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy,” said Michael McEvoy, Information and Privacy Commissioner for British Columbia.
“Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust.”
In a recent regulatory filing, the company admitted that it is facing multiple class action complaint related to the data collected by the app. The filings say the company violated the Personal Information Protection and Electronic Documents Act by collecting the geolocation data.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.