Canadian Privacy Commissioners allege Tim Horton’s food chain collected vast amounts of sensitive data through its apps

June 5, 2022

Tim Hortons is a Canadian fast food outlet specialising in take away coffees and snacks. It has a large presence in Canada.  It heavily promotes its apps to allow customers to order their beverages and food by phone. 

The Privacy Commissioner of Canada has found that Tim Hortons app violated privacy laws in collecting vast amounts of sensitive location data.   The app permitted Tim Hortons to track and record the users movements every few minutes even when the app was not open.  Tim Hortons asked for permission to access geolocations functions but misled users who thought that access would be used when the app was open.  In fact the location data was collected even when individuals app was not open. As long as the device was on data was collected.  Tim Horton’s only stopped the practice when the Privacy Commissioners began to investigate.

Collection on this scale would give Tim Hortons an enormous amount of raw data from which, with the right algorithms, determine where users lived, where they worked and even when they used a competitor’s product.  The question of proportionality was raised by the Privacy Commissioner.  And appropriately.  In the Australian context the issue is whether the purpose for the collection of that vast amount of data relates to the ordering and purchasing of coffee. 

It is no surprise that the Privacy Commissioner found there wasn’t a ” robust privacy management program for the app.” It is a fairly typical story to see the majority of the work being focused on developing a the functionality of the app and making it as attractive to users as possible and considering privacy protections as Read the rest of this entry »

Australian and Canadian Privacy Commissioner release report into Ashley Madison data breach

September 4, 2016

The Australian Privacy Commissioner has taken action against Ashley Madison data breach in July 2015 was a sensation.  As has the Canadian Privacy Commissioner.  They have released joint findings.  Joint findings are found here.

It is likely to be an influential findings as the combined report does undertake a detailed analysis of both the facts and the expectations under the various privacy principles.  Given the dearth of authorities this will provide valuable guidance.

As with many data breaches/interference with privacy complaints followed up by regulators the initial cause of the breach/interference gives rise to a broader investigation which almost invariably highlights deficiencies in compliance throughout the organisation.  It is commonly the case that a breach of security has many causes; out of data software protection, poor protocols, inadequate staff training, excessive data retention far beyond the date when it is usable or relevant to the organisations operations and a lack of understanding as to identity verification.

Ashley Madison, or more accurately its corporate entity Avid Life Media Inc (“ALM”), entered Read the rest of this entry »

Verified by MonsterInsights