The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.

The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta issued their Report of Findings today.

The Tim Hortons app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data.

The app also used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.

The investigation uncovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.

The company says it only used aggregated location data in a limited way, to analyze user trends – for example, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.

While Tim Hortons stopped continually tracking users’ location in 2020, after the investigation was launched, that decision did not eliminate the risk of surveillance. The investigation found that Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell “de-identified” location data for its own purposes.

There is a real risk that de-identified geolocation data could be re-identified. A research report by the Office of the Privacy Commissioner of Canada underscored how easily people can be identified by their movements.

Location data is highly sensitive because it can be used to infer where people live and work, reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more.

Organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form. Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling.

The investigation also revealed that Tim Hortons lacked a robust privacy management program for the app, which would have allowed the company to identify and address many of the privacy contraventions the investigation found.

The four privacy authorities recommended that Tim Hortons:

• Delete any remaining location data and direct third-party service providers to do the same;
• Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified;  ensures that privacy communications are consistent with, and adequately explain app-related practices; and
• Report back with the details of measures it has taken to comply with the recommendations.

Tim Hortons agreed to implement the recommendations.

QUOTES

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.”

“This report eloquently illustrates the risks inherent in the use of geolocation and the importance of transparent and accountable privacy practices. Without a suitable prior assessment, Tim Hortons collected sensitive information about its customers through its app, without their adequate knowledge or consent. It is to put an end to this kind of practice that Quebec has reviewed its legislation protecting personal information giving more powers to the Commission and making companies more accountable. ”

“This investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy. Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust. The good news in this case is that Tim Hortons has agreed to follow the recommendations we set out, and I hope other organizations can learn from the results of this investigation.”

“This investigation is yet another example where an organization has not effectively notified customers about its practices. Tim Hortons’ customers did not have adequate information to consent to the location tracking that was actually occurring. When people download and use these types of apps, it’s important that they know in advance what will happen to their personal information and that organizations follow through with their commitments.”