Tim Hortons' mobile app tracked and recorded users' movements resulting in "a mass invasion of Canadians' privacy" that violated Canadian laws, an investigation by federal and provincial privacy commissioners has found.
The investigation concluded that while Tim Hortons asked its millions of mobile app users for permission to access geolocation data, the company misled them into thinking the information would only be used when the app was open. In fact, the app tracked user data as long as the device was left on, generating an "event" every time users entered or exited a Tim Hortons competitor, a major sports venue or their home or workplace, according to the investigation.
Federal privacy commissioner Daniel Therrein says in a statement that the Tim Hortons app tracked and recorded users' movements every few minutes on a daily basis, even when the app was not opened, "resulting in a mass invasion of Canadians' privacy."
"We have seen here an absolute lack of proportion between the continual tracking of customers' location, their habits and other sensitive information this reveals about them, and a company's desire to sell more products," Therrein said.
"In my view, what happened here once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians."
The investigation was conducted by the federal Privacy Commissioner alongside its provincial counterparts in Quebec, Alberta and British Columbia. It was first launched in June 2020 after a Financial Post investigation found that the Tim Hortons app had tracked reporter James McLeod's movements more than 2,700 times in a span of less than five months. More than 1.6 million active users were using the Tim Hortons app as of July 2020.
Tim Hortons spokesperson Michael Oliveira says in an emailed statement that the company has started to implement the privacy commissioners' recommendations, and that the investigation does not require any new changes be made to the existing Tim Hortons app.
"We proactively removed the geolocation technology outlined in the report from the Tims app. Data from this geolocation technology was never used for personalized marketing for individual guests," Oliveira said.
"The very limited use of this data was on an aggregated, de-identified basis to study trends in our business – and the results did not contain personal information from any guests."
Tim Hortons app users 'at risk of surveillance'
According to the investigation, Tim Hortons released an updated version of its app in May 2019 that featured enhanced location tracking using data collected by Radar, a U.S.-based third-party service provider. The company would receive an average of 10 data "events" per user per day from Radar.