Tim Hortons’ mobile app has violated Canadian privacy laws, a new investigation has found.
Tim Horton’s mobile app tracks and records consumer movements, leading to a “massive invasion of Canadian privacy” that violates Canadian law, according to an investigation by federal and provincial privacy commissioners.
The investigation concluded that while Tim Hortons asked his millions of mobile app users for permission to access geolocation data, the company misled them that the information would only be used when the app was open. In fact, the app tracks user data while the device is left on, generating an “event” every time users enter or leave a Tim Hortons competitor, a major sports venue or their home or workplace, according to the investigation.
Federal Privacy Commissioner Daniel Terrain said in a statement that the Tim Hortons app tracks and records user movements every few minutes on a daily basis, even when the app is not open, “leading to a massive invasion of Canadian privacy.”
“We see an absolute disproportion between the constant tracking of customers’ location, their habits and other sensitive information that this reveals to them, and the company’s desire to sell more products,” Terain said.
“In my opinion, what has happened here again shows the urgent need for stricter privacy laws to protect the rights and values of Canadians.
The investigation was conducted by the Federal Commissioner for Privacy, along with his provincial counterparts in Quebec, Alberta and British Columbia. It was first released in June 2020, after an investigation by the Financial Post found that the Tim Hortons app tracked the movements of reporter James McLeod more than 2,700 times in less than five months. More than 1.6 million active users used the Tim Hortons app as of July 2020.
Tim Hortons spokesman Michael Oliveira said in an e-mail statement that the company had begun implementing the Commissioners ‘recommendations and that the investigation did not require new changes to Tim Hortons’ existing application.
The story continues
“We have proactively removed the geolocation technology outlined in the Tims report. “Data from this geolocation technology has never been used for personalized marketing for individual guests,” Oliveira said.
“The very limited use of this data was on a generalized, de-identified basis to study trends in our business – and the results did not contain personal information from any of the guests.”
Tim Hortons users are “at risk of surveillance”
According to the investigation, Tim Hortons released an updated version of his application in May 2019, which includes improved location tracking using data collected by Radar, a US-based third-party provider. The company will receive an average of 10 “events” with user data per day from Radar.
Although the data was not used for targeted advertising, it was used to analyze consumer trends. For example, Tim Hortons told privacy commissioners that he could provide push notifications for promotional offers to users attending a professional hockey game or traveling to another city.
Tim Hortons has disabled location tracking within days of launching the privacy investigation. The current version of the app uses location data to identify nearby Tim Hortons restaurants on a map, and the investigation said the company “no longer uses detailed data collected through the app for any other purpose.”
But privacy commissioners say the decision to suspend continuous consumer tracking “does not eliminate the risk of surveillance”, citing Tim Hortons’ contract with Radar, which contained such vague and authoritative language that it would allow the company to sell “de- identified “location data for their own purposes.”
“Organizations must enforce strong contractual safeguards to limit the use by service providers and the disclosure of information to users of their applications, including in an unidentified form,” a statement from the Privacy Commissioners said.
“Failure to do so may put these users at risk of having their data used by data aggregators in ways they never imagined, including detailed profiling.”
The report by the Privacy Commissioners recommends that Tim Hortons delete all other location data and instruct third-party service providers to do the same. He also called on the company to set up a privacy management program to ensure that the collection of information is necessary and proportionate to the impact on people’s privacy.
The coffee and donut chain will have to report to the Privacy Commissioners within nine months, detailing the measures it has implemented.
Alicja Siekierska is a senior reporter at Yahoo Finance Canada. Follow her on Twitter @alicjawithaj.
Download the Yahoo Finance app, available for Apple and Android.
Add Comment