In a news release, published on June 1 by the Office of the Privacy Commissioner of Canada (OPC), it was revealed that the Tim Hortons customer app was collecting vast amounts of movement and location data on its customers in violation of Canadian privacy law.
“The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products,” reads the release.
The report says that while the Tim Hortons app asked for permission to access a users mobile device’s geolocation functions it misled many users who believed the information would only be accessed when the app was in use. “In reality, the app tracked users as long as the device was on, continually collecting their location data,” the release reads.
Tim Hortons used the data collected to infer where users lived, worked and whether they were traveling. The app sent an “event” notice every time users entered or left a Tim Hortons competitor, a major sports venue, or their home and workplace.
Tim Hortons continued to farm data for a year after “shelving plans to use it for targeted advertising even though it had no legitimate need to do so.”
Daniel Therrien, the Canadian Privacy Commissioner said, “Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance,” adding that, “This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.”
Data used in a ‘limited way’
The company says it only used aggregated location data in a limited way; to analyze trends, to see if customers switched to other coffee chains and to determine how users’ movements changed during the COVID-19 pandemic.
Per the release, Tim Hortons halted continually tracking users’ locations in 2020, “after an investigation was launched” however OPC concluded that the decision “did not eliminate the risk of surveillance.”
It was also revealed that Tim Hortons had a contract with a third-party location services supplier that contained language so “vague and permissive” that it allowed the third-party company to sell “de-identified” location data for its own purposes.
The OPC said in its release that there is “a real risk” that de-identified geolocation data could be easily “re-identified,” meaning, people could be identified by their movement patterns alone.
“Location data is highly sensitive because it can be used to infer where people live and work, reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more,” the OPC says.
Despite the OPCs findings Tim Hortons does not appear to be facing any repercussions for its behavior however, the OPC recommended that the company delete any remaining data and direct third-party service providers to do the same and to establish and maintain a privacy management program.
Tim Hortons has agreed to implement the recommendations and also agreed to report back to the OPC with details of measures the company has taken to comply with the recommendations.