Tim Hortons violated federal and provincial privacy laws by using its mobile app to collect “highly personal” information about its customers without their consent, according to the findings of an investigation carried out by a coalition of Canadian privacy watchdogs.
In a statement on Wednesday, federal privacy commissioner Daniel Therrien called out Tim Hortons for a “mass invasion” of privacy and complained that “private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought.”
Tim Hortons says it’s no longer using the geolocation technology in question, and is complying with investigators’ requests to delete all the offending data and create a plan to make sure its app complies with privacy laws going forward.
But Therrien said the case highlights a troubling trend in corporate Canada, where businesses casually track their customers’ movements and treat that location data as a commodity to be used to help sell things like coffee. But really, he said, that data should be treated much more carefully, since it can reveal the intimate details of someone’s life — not just where they live and work, but where they worship, and what sort of health services they use.
“It can be used to make deductions about sexual preferences, social political affiliations and much more,” he said. “Our joint investigation tells yet another troubling story of a company that failed to ensure proper design of an intrusive technology, resulting in a mass invasion of Canadians’ privacy.”
Therrien, along with his counterparts in British Columbia, Alberta and Quebec, launched the investigation into the Tim Hortons mobile app in 2020 following a report by Financial Post journalist James McLeod.
McLeod found the Tim Hortons app had been tracking his movements so closely that he knew where he lived, where he worked, where he vacationed, as well as whenever he walked into certain competing fast-food restaurants. An analysis of months’ worth of data obtained through federal privacy law suggested the app was tracking him even when it was closed.
The commissioners’ investigation found Tim Hortons misled users into thinking their information was only being accessed when they used the app.
“In reality, the app tracked users as long as the device was on, continually collecting their location data,” Therrien’s office said in a news release on Wednesday.
Tim Hortons told the commissioners that it had planned to use the location tracking as a way of providing relevant promotions to customers. For example, if a customer lived in Montreal and traveled to Calgary, the app would know to only deliver deals available at Calgary locations, not Montreal. But Tim Hortons said they never used the data as intended, and instead only used it on “an aggregated, de-identified basis to study trends in our business — and the results did not contain personal information from any guests.”
But Therrien warned that de-identified geolocation data is still at risk of divulging personal details — known as being “re-identified.” And the privacy commissioners took issue with Tim Hortons’ contract with Radar Labs Inc., a third-party US firm that provided enhanced location tracking services for the app.
Double-double tracking: How Tim Hortons knows where you sleep, work and vacation
Canada’s privacy laws have ‘no teeth’: What I learned during an eight-month investigation into Tim Hortons’ data tracking
Want the personal data corporations have on you? Good luck, it’s not nearly as simple as it sounds
Therrien said Tim Hortons “did not adopt appropriate contractual measures to prevent its US service provider from using this sensitive data for its own purposes.”
Tim Hortons has agreed to delete the location data, and have its third-party contractor do the same.
In response to Wednesday’s report, Tim Hortons said it was already working on the commissioners’ recommendations and reiterated that it shut down the location tracking in 2020, after the joint investigation began.
“We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app,” spokesperson Michael Oliveira said in an email .
Tim Hortons won’t face any penalties in the case. That alone “underlines the urgent need for law reform in this country,” since only Quebec has the ability to impose ends when companies break privacy law, BC privacy commissioner Michael McEvoy said.
At a news conference on Wednesday, Therrien said he is hoping for legal reform that will give his office the authority to actively investigate infractions and impose penalties.
“If, as we saw here, they do not think these things through before they start these programs and that personal information is seen as just a commodity and not something that can lead to important privacy risks, there should be a financial penalty,” he said .
• Email: firstname.lastname@example.org | Twitter: jakeedmiston