A provincial and federal investigation revealed that the Tim Hortons app violated Canadian privacy laws.
Tim Hortons has agreed to implement the privacy authority’s recommendations after the investigation.
The Tim Hortons app tracked users’ movements every few minutes, even when the app was not open, a provincial media release said.
The app asked for users’ permission to access the location of the mobile device, but many believed the location would only be tracked when the app was in use. However, the location was continually tracked to determine where users lived, worked, and if they were travelling.
The investigation concluded that the app’s collection of location data did not have the targeted promotion benefits.
“The investigation uncovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so,” the media release said.
After the investigation was launched in 2020, the app stopped continually tracking users’ location, however, it was revealed the app’s contract with an American third-party location services supplier contained vague language that would allow the company to sell de-identified location data.
Location data can be used to not only reveal where users lived and worked, but trips to medical clinics, and it can be used to determine religious beliefs, sexual preferences, and social-political affiliations, the release said.
“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements, every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians,” Privacy Commissioner of Canada Daniel Therrien said.
The company said it used location data in a limited way to analyze user trends but has agreed to implement the privacy authority’s recommendations.
Tim Hortons will delete remaining location data, establish and maintain a privacy management program that includes privacy impact assessments for the app and future apps, create a process to ensure information collection is necessary and proportional to the privacy impacts identified and ensures that privacy communications are consistent, and report back with measures taken to comply with the recommendations.
“This investigation is yet another example where an organization has not effectively notified customers about its practices. Tim Hortons’ customers did not have adequate information to consent to the location tracking that was actually occurring. When people download and use these types of apps, it’s important that they know in advance what will happen to their personal information and that organizations follow through with their commitments,” Information and Privacy Commissioner of Alberta Jill Clayton said.