Tim Hortons' mobile app tracked and recorded users' movements resulting in "a mass invasion of Canadians' privacy" that violated Canadian laws, an investigation by federal and provincial privacy commissioners has found.
The investigation concluded that while Tim Hortons asked its millions of mobile app users for permission to access geolocation data, the company misled them into thinking the information would only be used when the app was open. In fact, the app tracked user data as long as the device was left on, generating an "event" every time users entered or exited a Tim Hortons competitor, a major sports venue or their home or workplace, according to the investigation.
Federal privacy commissioner Daniel Therrein says in a statement that the Tim Hortons app tracked and recorded users' movements every few minutes on a daily basis, even when the app was not opened, "resulting in a mass invasion of Canadians' privacy."
"We have seen here an absolute lack of proportion between the continual tracking of customers' location, their habits and other sensitive information this reveals about them, and a company's desire to sell more products," Therrein said.
"In my view, what happened here once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians."
The investigation was conducted by the federal Privacy Commissioner alongside its provincial counterparts in Quebec, Alberta and British Columbia. It was first launched in June 2020 after a Financial Post investigation found that the Tim Hortons app had tracked reporter James McLeod's movements more than 2,700 times in a span of less than five months. More than 1.6 million active users were using the Tim Hortons app as of July 2020.
Tim Hortons spokesperson Michael Oliveira says in an emailed statement that the company has started to implement the privacy commissioners' recommendations, and that the investigation does not require any new changes be made to the existing Tim Hortons app.
"We proactively removed the geolocation technology outlined in the report from the Tims app. Data from this geolocation technology was never used for personalized marketing for individual guests," Oliveira said.
"The very limited use of this data was on an aggregated, de-identified basis to study trends in our business – and the results did not contain personal information from any guests."
Tim Hortons app users 'at risk of surveillance'
According to the investigation, Tim Hortons released an updated version of its app in May 2019 that featured enhanced location tracking using data collected by Radar, a U.S.-based third-party service provider. The company would receive an average of 10 data "events" per user per day from Radar.
While the data was not used for targeted advertising, it was used to analyze user trends. For example, Tim Hortons told the privacy commissioners that it could provide push notifications of promotional offers for users that were attending a professional hockey game, or travelling to a different city.
Tim Hortons disabled the location-tracking feature within days of the launch of the privacy investigation. The current version of the app uses location data to identify nearby Tim Hortons restaurants on a map, and the investigation said the company "is no longer using granular data collected through the app for any other purposes."
But the privacy commissioners say the decision to stop continually tracking users "did not eliminate the risk of surveillance," pointing to the Tim Hortons contract with Radar which "contained language so vague and permissive that it would have allowed the company to sell 'de-identified' location data for its own purposes."
"Organizations must implement robust contractual safeguards to limit service providers' use and disclosure of their app users' information, including in de-identified form," the privacy commissioners said in a statement.
"Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling."
The privacy commissioners' report recommends that Tim Hortons delete any remaining location data and direct third-party service providers to do the same. It is also calling on the company to create a privacy management program that would ensure information collection is necessary and proportional to the impacts to people's privacy.
The coffee and doughnut chain will have to report back to the privacy commissioners within nine months, detailing the measures it has implemented.
Alicja Siekierska is a senior reporter at Yahoo Finance Canada. Follow her on Twitter @alicjawithaj.