Tim Hortons, Canada’s hugely popular and wholesomely-marketed coffee chain known for its Timbits and "double-doubles," constantly collected location data from users of its app even when the app was not in use and after not properly disclosing this collection to the users, violating Canadian law, according to an announcement from Canadian regulators.
The news is a rare instance of regulators making moves against an app collecting location data and demanding them to delete the information.
“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians,” Daniel Therrien, the Privacy Commissioner of Canada, said in a statement published with the announcement.
The Office of the Privacy Commissioner of Canada is tasked with enforcing two federal privacy laws, The Privacy Act, and the Personal Information Protection and Electronic Documents Act (PIPEDA). The office can investigate companies and make recommendations, and take companies to court.
Many apps collect location data from smartphones. Some of those apps collect the information as part of its ordinary operation, such as a maps or direction app. Others do so as an extra form of revenue generation; their developers sometimes sell the raw data to third-party companies that plant the location data gathering code into the app. In Tim Hortons’ case, the location data was used to track “every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace,” and Tim Hortons said it used the data to determine whether users switched to another coffee chain and perform other analysis, the announcement reads. Tim Hortons planned to use data for targeted advertising, but continued to gather the detailed information even after those plans were shelved, the announcement says.
Most egregiously, “The Tim Hortons app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data,” the announcement reads.
The Financial Post first reported the location data gathering in June 2020.
The announcement says that Tim Hortons has been recommended to delete any remaining location data, and tell third-party service providers to do the same; make various privacy improvements such as carrying out privacy impact assessments, and then report back with details on what it has done to comply with those recommendations.
Tim Hortons told Motherboard in an emailed statement that “We fully co-operated with the privacy commissioners of Canada, Alberta, British Columbia and Quebec in the course of their investigation and we’ve already begun work on implementing their recommendations.” The statement continued:
“In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts. Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app. Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business—and the results did not contain personal information from any guests. We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app.”
Tim Hortons was founded in the 1960s by hockey player Tim Horton, and is currently owned by the same multinational conglomerate that owns Burger King and Popeyes. Despite this, it's often marketed as being a core part of a certain wholesome ideal of Canadian identity, and so many Canadians will probably be disturbed to learn they were being spied on by what is effectively a national institution.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.