Canadian investigators found that users of the coffee chain Tim Hortons’ mobile app “had their movements tracked and recorded every few minutes every day” even when the app was not open, in violation of the country’s privacy laws.
“The Tim Hortons app requested permission to access the geolocation features of the mobile device, but misled many users into believing that the information would only be accessible when the app was in use. In fact, the app tracks users while the device is on, continuously collecting their location data,” according to a statement Wednesday from the Office of the Privacy Commissioner of Canada. The feds are cooperating with provincial authorities in Quebec, British Columbia and Alberta in the Tim Hortons investigation.
“The app also uses location data to infer where users live, work and travel,” the Office of the Privacy Commissioner said. “It generates an ‘event’ every time users enter or leave a Tim Hortons competitor, a major sporting event, or their home or workplace.”
Tim Hortons abandoned plans to use the app for targeted advertising but “continued to collect massive amounts of location data” for another year “even though there was no legal need to do so,” the Office of the Privacy Commissioner said. Tim Hortons said it used aggregated location data “to analyze consumer trends — for example, whether consumers switched to other coffee chains and how consumer movements changed with the onset of the pandemic,” the feds said.
“Inappropriate Form of Surveillance”
“Tim Hortons has clearly crossed the line by accumulating an enormous amount of highly sensitive information about its customers,” said Canada’s Privacy Commissioner Daniel Therrien. “Tracking people’s movements every few minutes every day was clearly an inappropriate form of surveillance.”
Tim Hortons has more than 5,100 stores in 13 countries. Most are in Canada, but there are more than 600 in the US, mostly in New York, Michigan and Ohio.
Tim Hortons stopped tracking users’ continuous location in 2020 after the government launched an investigation. But that “doesn’t eliminate the risk of surveillance” because “Tim Hortons’ contract with a US third-party location service provider contained language so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its for their own purposes,” the Office of the Privacy Commissioner said. As the office notes, “there is a real risk that de-identified geolocation data could be re-identified.”
Tim Hortons has agreed to comply with the agencies’ recommendations, but apparently will not face any punishment. The investigation report said Tim Hortons’ commitments “will bring the company into compliance” with Canadian law and that “therefore, we find this matter well-founded and conditionally resolved.” This is the language used when an organization has violated Canadian privacy laws but has “committed to implementing satisfactory corrective actions.”
