A joint investigation launched by four Privacy Commissioners in Canada into Tim Horton’s tracking of users’ geolocation information through its app will not lead to any disciplinary action.
The Privacy Commissioners of Canada, Quebec, Alberta, and British Columbia started an investigation into the Canadian operator of Tim Hortons, The TDL Group, and parent company Restaurant Brands International (RBI) after media reports indicated the app tracked users’ data.
The first article, published by the National Post, found the app tracked the article author to work, personal appointments, and even a vacation outside of Canada, even when the app was closed. The app tracked him more than 2,700 times in less than five months.
The investigation looked into whether Tim Horton’s collected data under appropriate circumstances and if it obtained proper consent from users. The app was downloaded nearly 10 million times between its launch in 2017 and July 2020. As of July 2020, the app has 1.6 million active users.
A May 2019 update saw TDL use Radar, a U.S.-based company, to collect users’ device location, almost every five minutes, to determine their home, place of work, when they were travelling, and when the user was at a Tim Horton’s competitor. The investigation found that Tim Hortons collected this information for targeted advertising but never used the data for that purpose. Instead, it used it for analytics on user trends.
“In our view, Tim Hortons did not collect and use the granular location data in question for an appropriate purpose in the circumstances,” the report says.
TDL stopped collecting data through the app in August 2020, after being notified of the investigation, launched in June 2020.
They found the company had no “legitimate need” to collect the “sensitive location information” since it was never used for its stated purpose. Tim Horton’s also didn’t “obtain valid consent,” failing to inform users their location information was collected when the app wasn’t in use, resulting in extensive collection compared to when customers were using the app.
The company also misled customers when it stated it only collected information when the app was open, as found in certain permission requests and its FAQ page, and failed to ensure users understood the consequences of contensing to data collection.
“As a society, we would not accept it if the government wanted to track our movements every few minutes of every day. It is equally unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought,” Daniel Therrien, Canada’s Privacy Commissioner, said.
While the investigation found Tim Horton’s didn’t meet obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec’s Private Sector Law, or the Personal Information Protection Acts for Alberta and B.C., it accepts TDL’s commitment to bring the app to compliance.
The company has agreed to delete all geolocation data in question, and have third-party service providers do the same. It has also agreed to establish a “privacy management program” the ensure the Tim Horton’s app, and any other apps TDL launches in the future, complies with the rules. The commissioners will follow up with TDL over the next year.
“In my view, what happened here once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians,” Therrien said.