Canadian Privacy Commissioners allege Tim Horton’s food chain collected vast amounts of sensitive data through its apps

June 5, 2022 |

Tim Hortons is a Canadian fast food outlet specialising in take away coffees and snacks. It has a large presence in Canada.  It heavily promotes its apps to allow customers to order their beverages and food by phone. 

The Privacy Commissioner of Canada has found that Tim Hortons app violated privacy laws in collecting vast amounts of sensitive location data.   The app permitted Tim Hortons to track and record the users movements every few minutes even when the app was not open.  Tim Hortons asked for permission to access geolocations functions but misled users who thought that access would be used when the app was open.  In fact the location data was collected even when individuals app was not open. As long as the device was on data was collected.  Tim Horton’s only stopped the practice when the Privacy Commissioners began to investigate.

Collection on this scale would give Tim Hortons an enormous amount of raw data from which, with the right algorithms, determine where users lived, where they worked and even when they used a competitor’s product.  The question of proportionality was raised by the Privacy Commissioner.  And appropriately.  In the Australian context the issue is whether the purpose for the collection of that vast amount of data relates to the ordering and purchasing of coffee. 

It is no surprise that the Privacy Commissioner found there wasn’t a ” robust privacy management program for the app.” It is a fairly typical story to see the majority of the work being focused on developing a the functionality of the app and making it as attractive to users as possible and considering privacy protections as an afterthought, if at all.

The media release from the Privacy Commissioner provides:

GATINEAU, QC, June 1, 2022 – People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws, a joint investigation by federal and provincial privacy authorities has found.

The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.

The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta issued their Report of Findings today.

The Tim Hortons app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data.

The app also used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.

The investigation uncovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.

The company says it only used aggregated location data in a limited way, to analyze user trends – for example, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.

While Tim Hortons stopped continually tracking users’ location in 2020, after the investigation was launched, that decision did not eliminate the risk of surveillance. The investigation found that Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell “de-identified” location data for its own purposes.

There is a real risk that de-identified geolocation data could be re-identified. A research report by the Office of the Privacy Commissioner of Canada underscored how easily people can be identified by their movements.

Location data is highly sensitive because it can be used to infer where people live and work, reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more.

Organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form. Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling.

The investigation also revealed that Tim Hortons lacked a robust privacy management program for the app, which would have allowed the company to identify and address many of the privacy contraventions the investigation found.

The four privacy authorities recommended that Tim Hortons:

    • Delete any remaining location data and direct third-party service providers to do the same;
    • Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
    • Report back with the details of measures it has taken to comply with the recommendations.

Tim Hortons agreed to implement the recommendations.

Quotes

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.” – Daniel Therrien, Privacy Commissioner of Canada

“This report eloquently illustrates the risks inherent in the use of geolocation and the importance of transparent and accountable privacy practices. Without a suitable prior assessment, Tim Hortons collected sensitive information about its customers through its app, without their adequate knowledge or consent. It is to put an end to this kind of practice that Quebec has reviewed its legislation protecting personal information giving more powers to the Commission and making companies more accountable.” – Me Diane Poitras, president, Commission d’accès à l’information du Québec

“This investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy. Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust. The good news in this case is that Tim Hortons has agreed to follow the recommendations we set out, and I hope other organizations can learn from the results of this investigation.” – Michael McEvoy, Information and Privacy Commissioner for British Columbia

 “This investigation is yet another example where an organization has not effectively notified customers about its practices. Tim Hortons’ customers did not have adequate information to consent to the location tracking that was actually occurring. When people download and use these types of apps, it’s important that they know in advance what will happen to their personal information and that organizations follow through with their commitments.” – Information and Privacy Commissioner of Alberta Jill Clayton

The story has been picked up by yahoonews with Tim Hortons app collected vast amounts of sensitive data: privacy watchdogs. It provides:

OTTAWA — Federal and provincial privacy watchdogs say the Tim Hortons mobile ordering app violated the law by collecting vast amounts of location information from customers.

In an investigation finding today, privacy commissioners say people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of the day, even when their app was not open.

The investigation came after National Post reporter James McLeod obtained data showing the Tim Hortons app on his phone had tracked his location more than 2,700 times in less than five months.

Federal privacy commissioner Daniel Therrien did the investigation jointly with privacy commissioners from British Columbia, Quebec and Alberta.

The commissioners found the Tim Hortons app asked for permission to access a mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use.

However, the app tracked users as long as the device was on, continually gathering their location data.

 

 

 

 

Leave a Reply





Verified by MonsterInsights