People who downloaded the Tim Hortons smartphone app had their movements tracked almost continuously. The app was collecting data even when it was closed..A joint investigation by federal and provincial privacy authorities found the data-gathering was in violation of Canadian privacy laws..The 23-month investigation concluded Tim Hortons’ continual collection of enormous quantities of location data was not in keeping with the needs of the fast food coffee chain..The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta issued their Report of Findings Wednesday..The Tim Hortons app requested permission to access users' mobile device geolocation functions. However, it led many app users to believe data would only be gathered when the app was turned on. The app, in fact, tracked users continually, collecting their location data at all times devices were switched on..The app also used location data to determine where users lived, worked, and their travelling habits. It generated a data “event” every time a user entered or left a Tim Hortons shop, a competitor, a major sports venue, or their home or workplace..Tim Hortons continued to collect huge amounts of location data for a whole year after abandoning plans to use it for targeted advertising. The data was collected despite there being no legitimate need to do so..Timmies claimed it only used location data in a limited way — to analyze user trends. Data points would, for example, show whether users switched to other coffee chains, and how users’ movements altered as the pandemic unfolded..Although the coffee chain stopped continually surveilling users’ location in 2020 — after the investigation had started — that decision did not eliminate the risk of the data-tracking..The investigation found that Tim Hortons’ contract with an American third-party partner used language so vague and lax that it would have enabled the company to sell “de-identified” location data for its own purposes..Location data is highly sensitive since it can be used to determine where a person lives and works, and potentially reveal trips for medical treatment, for example..The data can also be used to determine a person’s religion, what their sexual preferences are, and political affiliations and more simply by logging their geolocation data..“Organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form. Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling,” the investigation authorities said..The four privacy authorities recommended that Tim Hortons:.• delete any remaining location data and that direct third-party service providers to do the same;.• establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and.• report back with the details of measures it has taken to comply with the recommendations..Tim Hortons agreed to implement the recommendations..“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians,” said Daniel Therrien, Canada’s privacy commissioner..Information and privacy commissioner for British Columbia, Michael McEvoy, said in no uncertain terms Timmies' conduct was a gross violation of consumers’ trust..“This investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy. Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust … I hope other organizations can learn from the results of this investigation,” he said.
People who downloaded the Tim Hortons smartphone app had their movements tracked almost continuously. The app was collecting data even when it was closed..A joint investigation by federal and provincial privacy authorities found the data-gathering was in violation of Canadian privacy laws..The 23-month investigation concluded Tim Hortons’ continual collection of enormous quantities of location data was not in keeping with the needs of the fast food coffee chain..The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, the Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta issued their Report of Findings Wednesday..The Tim Hortons app requested permission to access users' mobile device geolocation functions. However, it led many app users to believe data would only be gathered when the app was turned on. The app, in fact, tracked users continually, collecting their location data at all times devices were switched on..The app also used location data to determine where users lived, worked, and their travelling habits. It generated a data “event” every time a user entered or left a Tim Hortons shop, a competitor, a major sports venue, or their home or workplace..Tim Hortons continued to collect huge amounts of location data for a whole year after abandoning plans to use it for targeted advertising. The data was collected despite there being no legitimate need to do so..Timmies claimed it only used location data in a limited way — to analyze user trends. Data points would, for example, show whether users switched to other coffee chains, and how users’ movements altered as the pandemic unfolded..Although the coffee chain stopped continually surveilling users’ location in 2020 — after the investigation had started — that decision did not eliminate the risk of the data-tracking..The investigation found that Tim Hortons’ contract with an American third-party partner used language so vague and lax that it would have enabled the company to sell “de-identified” location data for its own purposes..Location data is highly sensitive since it can be used to determine where a person lives and works, and potentially reveal trips for medical treatment, for example..The data can also be used to determine a person’s religion, what their sexual preferences are, and political affiliations and more simply by logging their geolocation data..“Organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form. Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling,” the investigation authorities said..The four privacy authorities recommended that Tim Hortons:.• delete any remaining location data and that direct third-party service providers to do the same;.• establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and.• report back with the details of measures it has taken to comply with the recommendations..Tim Hortons agreed to implement the recommendations..“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians,” said Daniel Therrien, Canada’s privacy commissioner..Information and privacy commissioner for British Columbia, Michael McEvoy, said in no uncertain terms Timmies' conduct was a gross violation of consumers’ trust..“This investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy. Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust … I hope other organizations can learn from the results of this investigation,” he said.