Tim Hortons ‘misled’ app users, broke privacy laws

An investigation by federal and provincial authorities has found the Tim Hortons app tracked and recorded users’ movements, even when the app was not in use, in violation of Canadian privacy laws.

The Office of the Privacy Commissioner of Canada, along with commissioners from B.C., Quebec, an Alberta, released the report on their findings Wednesday, condemning the actions of the coffee chain for its violations.

“The Tim Hortons app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data,” the report found.

As well, the report says the app continued to collect “vast amounts of location data for a year after shelving plans to use it” even though the company had no legitimate reason to do so.

The data was used to determine where the app user lived, worked, and even if they were travelling. It also tracked when a user entered or left a Tim Hortons competitor coffee shop, or a major sports venue. The company says data was only used in a limited way to analyze user trends.

Related Articles:

• Privacy commissioners across Canada call for more facial recognition limits

• Watchdogs, human rights groups decry B.C.’s freedom of information fees

• Facebook to ‘nudge’ teenagers away from harmful content on its platforms

Michael McEvoy, Information and Privacy Commissioner for British Columbia, says it was a “complete breach of customers’ trust” and says the results of the investigation “sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy.”

Tim Horton’s stopped tracking users’ locations in 2020 after an investigation was launched, but that didn’t mean the sensitive personal information was protected.

The contract with an American third-party location services supplier was also so vague that the U.S. company would have been able to sell “de-identified” location data for its own purposes. According to the Office of the Privacy Commissioner of Canada, de-identified geolocation data could easily be re-identified and could be used to learn a lot about a person’s personal life.

“Location data is highly sensitive because it can be used to infer where people live and work, reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more,” the report explained.

A screen grab of the Tim Hortons app taken June 1, 2022 (Courtesy: apps.apple.com)

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians,” Privacy Commissioner of Canada Daniel Therrien said.

Tim Hortons has agreed to the recommendations set out by the commissioners, which include deleting users’ location data and establishing a privacy management program.

“When people download and use these types of apps, it’s important that they know in advance what will happen to their personal information and that organizations follow through with their commitments,” Information and Privacy Commissioner of Alberta Jill Clayton said.