Photo credit: ASphotofamily
Written by Mayuri Punithan
Federal and provincial privacy authorities discovered that the Tim Hortons app was collecting customer data without their knowledge or consent. The app would ask users if they can access their location, only when using the app. In actuality, they would track and record all of their movements when the app was on. Not only did they record where a user lived and worked, but they were able to know if they visited competitors' stores or where they were traveling to. Hence, the app violated many Canadian privacy laws.
Tim Hortons stated that they intended to study user trends such as if they switched to other coffee chains or how their movements changed during the pandemic, and thus create targeted adverting. However, authorities discovered that "Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products". In other words, Tim Hortons collected sensitive and irrelevant consumer information.
"Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians" – Daniel Therrien, Privacy Commissioner of Canada
Moreover, investigators found that "Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell 'de-identified' location data for its own purposes". De-identified refers to the process of removing personal identifiers from information and data, such as a person's age and address. The issue is that de-identified geolocation data can be re-identified. This is problematic as it can reveal sensitive information, such as someone's religious beliefs, medical issues, or political affiliations.
Unfortunately, the Tim Hortons app lacked a robust privacy management program, which could have prevented these privacy issues. Apps must have robust contractual safeguards, as they can protect users' privacy and data.
Tim Hortons has agreed to implement the following recommendations, that were advised by authorities:
- Delete any remaining location data and direct third-party service providers to do the same;
- Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
- Report back with the details of measures it has taken to comply with the recommendations.
Although Tim Hortons discontinued tracking users' locations in 2020, it doesn't change how they and other companies often violate users' privacy for marketing and other business purposes. This report can remind other companies to uphold ethical consumer practices.
The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta conducted this report.
Written by Mayuri Punithan