The Privacy Commissioner of Canada finds that the Tim Hortons app violated the law by collecting large amounts of data about the whereabouts of its users without their express consent.
In a report filed Wednesday, the federal commissioner and his provincial colleagues in British Columbia, Quebec and Alberta determined that people who downloaded the Tim Hortons app “had their movements tracked and recorded within minute intervals each day, even when their app was not open, which violates Canadian privacy laws.
The investigation, which lasted 23 months, was carried out after the journalist of the National Post James McLeod obtained data showing that the Tim Hortons app on his cell phone had tracked his location more than 2,700 times in less than five months, “and not just” when he was using the app.
Federal privacy commissioner Daniel Therrien immediately launched an investigation, along with the privacy commissioners of British Columbia, Quebec and Alberta.
“Our joint investigation uncovers another disturbing case, that of a company that failed to take the necessary steps to properly design intrusive technology, which resulted in a massive breach of the privacy of Canadians,” summarizes Mr. Therrien. This investigation also highlights the very real risks posed by geolocation data and user monitoring. »
The president of the Commission d’accès à l’information du Québec, Diane Poitras, maintained that this report illustrated “eloquently the risks inherent in the use of geolocation and the importance of data protection practices. transparent and accountable personal information”.
If we go to the competitor
Commissioners found that the Tim Hortons app asked its users for permission to access their device’s location-based features, but tricked them into believing it would only access this information when the app was open. In fact, the app tracked its users as long as their device was open, continually collecting information about their location.
The commissioners say Tim Hortons “continued to collect large amounts of location-based data for a year after it backtracked from plans to use it for targeted advertising, even though it had no legitimate need to act in this direction”.
The app used location data to infer the location of where users live and work and when they were travelling, but also to establish when users were visiting a competitor of Tim Hortons. discovered the commissioners.
The application also generated an entry or exit “event” each time the user visited one of the nine competitors identified by Tim Hortons, visited the main venues and stadiums where sporting events were held, or returned to his presumed place of residence or work,” the commissioners explained in a joint press release.
“The company argued that it only used aggregate geolocation data to a limited extent to analyze user trends – to determine, for example, whether a user had changed coffee shop chains and how users’ journeys had changed as the pandemic took hold. »
Tim Hortons assured Wednesday that it has taken immediate steps in 2020 to improve the way it communicates with customers about the data they share with it, and that it has begun to review its privacy practices with external experts.
“Soon after, we proactively removed the location-based technology described in the report from the Tims app,” the company said in a statement. The very limited use of this data was on an aggregated and anonymized basis to study trends in our business. »
Contract with a US third party
Although Tim Hortons stopped continuously tracking users’ geolocation data in 2020 after the investigation began, the move did not eliminate the risk of surveillance, the commissioners say.
Their investigation revealed that Tim Hortons’ contract with a U.S. third-party location-based service provider contained language “so broad and loosely framed” that the third-party could have sold the de-identified location data for its own purposes ( anonymized).
“Geolocation data is extremely sensitive since it can be used to infer people’s place of residence or work and to reveal trips to a medical clinic,” explains Mr. Therrien. This data can be used to make inferences about religious beliefs, sexual preferences, socio-political affiliations and more. »
Tim Hortons has agreed to implement the recommendations of the three commissions:
— delete all remaining geolocation data and require third-party service providers to do the same;
— establish and maintain a personal information protection management program;
— and report in detail on the measures taken to comply with these recommendations.
Tim Hortons said on Wednesday that it has bolstered its internal team responsible for improving privacy best practices and continues to work to assure its customers that they “can make informed decisions about their data when using » its application.