Tim Hortons App Collected Vast Amounts of Sensitive Data: Privacy Watchdogs

Tim Hortons App Collected Vast Amounts of Sensitive Data: Privacy Watchdogs
A Tim Hortons employee hands out coffee from a drive-thru window to a customer in Mississauga, Ont., on March 17, 2020. Nathan Denette/The Canadian Press
The Canadian Press
Updated:

The Tim Hortons mobile ordering app violated the law by collecting vast amounts of location information from customers, an investigation by federal and provincial privacy watchdogs has found.

In a report released Wednesday, privacy commissioners said people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes, even when the app was not open on their phones.

The investigation came after National Post reporter James McLeod obtained data showing the Tim Hortons app on his phone had tracked his location more than 2,700 times in less than five months.

Federal privacy commissioner Daniel Therrien did the probe with privacy commissioners from British Columbia, Quebec and Alberta.

“Our joint investigation tells yet another troubling story of a company that failed to ensure proper design of an intrusive technology, resulting in a mass invasion of Canadians’ privacy,” Therrien said.

“It also highlights the very real risks related to location data and the tracking of individuals.”

The commissioners found the Tim Hortons app asked for permission to access a mobile device’s geolocation functions, but misled many users to believe information would be accessed only when the app was in use.

However, the app tracked users as long as the device was on, continually gathering their location data.

The commissioners say Tim Hortons collected “vast amounts” of granular location data with the aim of delivering targeted advertising, to better promote its coffee and associated products, but that it never actually used the data for this purpose.

The app used location data to infer where users lived, where they worked and whether they were travelling, the watchdogs found.

It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue or their home or workplace, the commissioners said in a joint news release.

“The investigation uncovered that Tim Hortons continued to collect location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so,” the release said.

“The company says it only used aggregated location data in a limited way, to analyze user trends—for example, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.”

Tim Hortons said Wednesday the company took immediate steps in 2020 to improve how it communicates with customers about the data they share with the company, and began reviewing its privacy practices with external experts.

“Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app,” the company said in a statement. “The very limited use of this data was on an aggregated, de-identified basis to study trends in our business.”

While Tim Hortons stopped continually tracking users’ locations after the privacy probe began, this did not end the risk of surveillance, the watchdogs say.

The investigation found that Tim Hortons’ contract with a U.S. third-party location-services supplier contained language so “vague and permissive” that it would have allowed the supplier to sell “de-identified” location data for its own purposes.

There is a real risk that such geolocation data could be “re-identified,” the watchdogs warned.

“Geolocation data is incredibly sensitive because it paints such a detailed and revealing picture of our lives,” Therrien said.

Surveillance of everyday movements reveals where people live and work, as well as information about visits to a medical clinic or place of worship, he added. “It can be used to make deductions about sexual preferences, social political affiliations and much more.”

Tim Hortons agreed to implement recommendations that the company:

—delete any remaining location data and direct third-party service providers to do the same;

—establish and maintain a privacy management program for apps; and

—report on measures it has taken to comply with the recommendations.

Tim Hortons said the company had strengthened its internal team working to improve best privacy practices and continues to focus on ensuring customers “can make informed decisions about their data when using our app.”

B.C. information and privacy commissioner Michael McEvoy said many terms-of-use policies for apps are convoluted and don’t properly explain what is transpiring.

He added the emphasis needs to be “on the obligations of the companies to ensure that they understand the law and are complying with it.”

By Jim Bronskill