An investigation by Tim Hortons, the federal privacy commissioner, found that the app unnecessarily collected large amounts of data without adequate user consent.
IN report of the Commissionerwhich was released Wednesday morning, said Tim Hortons collected detailed location data for targeted advertising and promotion of its products, but the company never used the data for that purpose.
“The implications of the collection of this data from the application, most of which were collected when the application was not used, represent a loss of user confidentiality that is disproportionate to the potential benefits that Tim Hortons has benefited from. he hoped to win an improved targeted promotion of his coffee and related products, “the report said.
The joint investigation was launched about two years ago by the Office of the Commissioner for Privacy of Canada, together with similar bodies in British Columbia, Quebec and Alberta. This came after a Financial Post report found that the Tim Hortons app tracked users’ geolocation while users were not using the app.
According to a presentation to investors shared in May, the restaurant chain’s application has four million active users.
A third party collected geolocation data
Tim Hortons used a third-party service provider, Radar, to collect geolocation data from users. In August 2020, Tim Hortons stopped collecting location data.
However, the investigation found that there was no contractual protection for users’ personal information while it was being processed by Radar. The report describes the language in the contract clauses as “vague and permissive”, which could allow Radar to use personal information collected in aggregate or de-identified form for its own business.
“While we accept that Radar did not use or disclose information for its own purposes, the contractual language in this case does not appear to provide adequate protection by Tim Hortons for users’ personal information,” the report said.
The report states that Tim Hortons also agreed to delete all location details and get third-party service providers to do so, as recommended by the confidentiality authorities. The company also agreed to establish a privacy management program for its application and all future applications to ensure that it complies with federal and provincial privacy laws.
The federal law governing privacy issues is known as the Personal Information and Electronic Documents Protection Act or PIPEDA.
Given these remedies, the report found that while the Tim Hortons app did not comply with privacy laws, the company has since taken steps to address the issues.
“We have strengthened our in-house team dedicated to improving best practices when it comes to privacy, and we continue to focus on ensuring that guests can make informed decisions about their data when using our app.” a statement from Tim Hortons published on Wednesday said.
“Increases the risk of mass surveillance”
The privacy commissioners responsible for the joint investigation held a teleconference with journalists on Wednesday, in which they strongly condemned the privacy breaches highlighted in the report.
“The location tracking ecosystem, where details of our daily lives are treated as a commodity to be used to sell us products and services like a cup of coffee, increases the risk of mass surveillance,” said Daniel Terien, commissioner for privacy. Canada.
Daniel Terien, Canada’s privacy commissioner, was shown at a press conference in September 2018. In a teleconference with reporters on Wednesday, Terien warned that tracking geolocation increases the risk of mass surveillance. (Sean Kilpatrick / Canadian Press)
David Fraser, a Halifax-based privacy lawyer, said the findings of the investigation are a lesson not only for Tim Hortons, but for any entity that creates an application that collects location data.
“Location information is usually recognized as one of the most sensitive information that can be gathered because of the type of conclusions you can draw about people’s lifestyles … where they will tell you where they live, where they work. “Where are they going?” Fraser said.
The Federal Commissioner does not have the power to impose fines on entities found to be in breach of PIPEDA. However, the Quebec Commission for Access to Information will soon be able to issue administrative fines, fines, mandatory orders and more. These new powers will take effect in September 2023.
Michael McEvoy, Commissioner for Information and Privacy in British Columbia, said more power should be given to the offices of the Privacy Commissioners.
“This puts the spotlight back on our chosen assemblies and jurisdictions to take action,” he said.
The company is facing several class cases
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several lawsuits over its mobile app.
The lawsuits were filed following the Financial Post’s report on the collection of geolocation data.
Fraser said that while the findings of the commissioners’ investigation would be relevant to court cases, a different standard would be applied in court, including whether intrusion into private life would be “very offensive to a reasonable person”.
“The court must determine the facts itself. The court cannot delegate to say, “Well, here is what the Privacy Commissioner found, and therefore we will believe it,” he said.
Add Comment