Tim Hortons’ mobile app tracked and recorded user movements, leading to a “mass invasion of Canadian privacy” that violated Canadian law, investigated by federal and provincial privacy commissioners.
The investigation concluded that while Tim Hortons asked his millions of mobile app users to allow access to geolocation data, the company misled them into thinking that the information would only be used when the app was open. In fact, the application monitored user data as long as the device was left on, and generated an “event” each time users entered or left competitor Tim Horton, a major sports venue or their home or workplace, according to the investigation.
Federal Privacy Commissioner Daniel Therrein said in a statement that Tim Hortons tracked and recorded user movements every few minutes on a daily basis, even when the application was not open, “resulting in a massive invasion of Canadian privacy.”
“We’ve seen an absolute lack of relationship between constantly monitoring customers’ locations, their habits and other sensitive information they reveal about them, and the company’s desire to sell more products,” Therrein said.
“In my opinion, what has happened here again clearly shows the urgent need for stronger privacy laws to protect the rights and values of Canadians.”
The investigation was led by the Federal Privacy Commissioner along with his provincial counterparts in Quebec, Alberta and British Columbia. It was first launched in June 2020 after a Financial Post investigation found that Tim Hortons’ application tracked reporter James McLeod’s movements more than 2,700 times in less than five months. As of July 2020, more than 1.6 million active users were using Tim Hortons.
Tim Horton spokesman Michael Oliveira said in an e-mail statement that the company had begun to implement the recommendations of the Privacy Commissioners and that the investigation did not require any new changes to Tim Horton’s existing application.
“We have proactively removed the geolocation technology reported in the Tims report. The data from this geolocation technology has never been used for personalized marketing for individual guests,” said Oliveira.
“The very limited use of this data was on an aggregated, de-identified basis to study trends in our business – and the results did not include personal data from any guests.”
Tim Hortons users “at risk of tracking”
According to the investigation, Tim Hortons released an updated version of his application in May 2019, which included improved location tracking using data collected by Radar, a third-party service provider based in the United States. The company would receive an average of 10 data “events” per user per day from Radar.
Although the data was not used for targeted advertising, it was used to analyze user trends. Tim Hortons, for example, told privacy commissioners that he could provide push notifications about promotional offers for users who attend a professional hockey game or travel to another city.
Tim Hortons has disabled location tracking within days of initiating a privacy investigation. The current version of the app uses location data to identify Tim Horton’s nearby restaurants on a map, and the investigation said the company “no longer uses granulated data collected through the app for any other purpose.”
However, privacy commissioners say the decision to stop continuous user monitoring “did not eliminate the risk of surveillance”, pointing to Tim Hortons’ agreement with Radar, which “contained language so vague and tolerant that it would allow the company to sell” de-identified location data for its own purposes.”
“Organizations need to put in place robust contractual safeguards to limit the use and disclosure of information about users of their applications to service providers, even in unidentified form,” the privacy commissioners said in a statement.
“If you don’t, these users could risk their data being used by data aggregators in a way they never imagined, including detailed profiling.”
The Privacy Commissioners’ report recommends that Tim Hortons delete all remaining location data and order third-party service providers to do the same. The company also calls for a privacy management program to ensure that the collection of information is necessary and proportionate to the impact on people’s privacy.
The coffee and donuts chain will have to report to the Data Protection Commissioners within nine months, detailing the measures it has put in place.
Alicja Siekierska is Yahoo Finance Canada’s chief reporter. Follow her on Twitter @alicjawithaj.
Download the Yahoo Finance app available for Apple and Android.
#Tim #Hortons #application #track #mass #invasion #Canadian #privacy #watchdog