An investigation by federal and local privacy commissioners has found that Tim Hortons’ mobile app tracked and logged users’ movements resulting in a “mass invasion of Canadians’ privacy” that violated Canadian laws.
The investigation concluded that while Tim Hortons asked millions of mobile app users for permission to access geolocation data, the company misled them into believing that the information would only be used when the app was open. In fact, the app tracks user data for as long as the device is left turned on, creating an “event” every time users enter or exit a Tim Hortons competitor, a major sports venue or their home or workplace, according to the investigation.
Federal Privacy Commissioner Daniel Terrain said in a statement that the Tim Hortons app tracks and records users’ movements every few minutes on a daily basis, even when the app is not opened, “resulting in a mass invasion of Canadians’ privacy.”
“We’ve seen here an absolute lack of compatibility between the constant tracking of customers’ locations, habits, and other sensitive information this reveals about them, and the company’s desire to sell more products,” Therrein said.
“In my view, what has happened here again demonstrates the urgent need for stronger privacy laws to protect the rights and values of Canadians.”
The investigation was conducted by the Federal Privacy Commissioner along with his provincial counterparts in Quebec, Alberta and British Columbia. It was first launched in June 2020 after an investigation by the Financial Post found that the Tim Hortons app had tracked the movements of reporter James MacLeod more than 2,700 times in less than five months. More than 1.6 million active users were using the Tim Hortons app as of July 2020.
Tim Hortons spokesperson Michael Oliveira said in an emailed statement that the company has begun implementing the recommendations of privacy commissioners, and that the investigation does not require any new changes to be made to the existing Tim Hortons app.
“We have proactively removed the geolocation technology described in the report from the Tims app,” Oliveira said. “Data from this geolocation technology has not been used for personal marketing to individual guests.”
“The very limited use of this data was on an aggregated and de-identified basis to study trends in our business – and the results did not contain personal information from any guest.”
Tim Hortons app users are at risk of monitoring
As per the investigation, Tim Hortons released an updated version of its app in May 2019 that included improved location tracking using data collected by Radar, a US-based third-party service provider. The company will receive an average of 10 data “events” per user per day from Radar.
While the data was not used for targeted advertising, it was used to analyze user trends. For example, Tim Hortons told privacy commissioners that it could provide instant notifications of promotions to users who were attending a professional hockey game or traveling to a different city.
Tim Hortons disabled location tracking within days of launching the privacy investigation. The current version of the app uses location data to locate nearby Tim Hortons restaurants on a map, and the investigation said the company “no longer uses accurate data collected through the app for any other purposes.”
But privacy commissioners say the decision to stop the continued tracking of users “did not eliminate the risks of surveillance,” citing Tim Hortons’ contract with Radar which “contains very vague language and allows it to allow the company to sell” the selection. Location data has been specified for its own purposes.
“Organizations should implement strong contractual safeguards to limit service providers’ use and disclosure of their application user information, including in an unidentified form,” the Privacy Commissioners said in a statement.
“Failure to do so may put these users at risk of their data being used by data collectors in ways they would never have imagined, including detailed profiling.”
The Privacy Commissioners report recommends that Tim Hortons delete any residual site data and instruct third-party service providers to do the same. The company also calls for the creation of a privacy management program that ensures that information collection is necessary and proportionate to the impacts on people’s privacy.
The coffee and donut chain will have to file a report with its privacy commissioners within nine months, explaining what actions it has implemented.
Elijah Sikerska is a Senior Reporter at Yahoo Finance Canada. Follow her on Twitter Tweet embed.
Download the Yahoo Finance app available for apple And the Android.