Tim Hortons App Violated Privacy Laws by Collecting ‘Vast Amounts’ of Location Data, Concludes Probe
The Office of the Privacy Commissioner of Canada on Wednesday released the findings of a joint probe by federal and provincial privacy commissioners into the user tracking and data collection practices of Tim Hortons’ mobile app.
“People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws,” the investigation found.
More than one in 10 Canadians use the Tim Hortons app at least once a month. National Post journalist James McLeod raised privacy concerns regarding the mobile app in a 2020 report, after discovering first-hand that the app collected users’ location data, even when it wasn’t in use.
Tim Hortons app violated privacy laws in collection of ‘vast amounts’ of sensitive location datahttps://t.co/gLgR98b3G0
— James McLeod (@jamespmcleod) June 1, 2022
The Tim Hortons app fetched and recorded McLeod’s location data 2,700 times over an observation period of under five months. Soon after, federal Privacy Commissioner Daniel Therrien and his counterparts in Alberta, British Columbia, and Quebec launched a joint probe into the matter.
The joint investigation concluded that even though the app asked users for permission to access their device’s location, it misled many of them to believe the information would only be retrieved when the app was in use.
In actuality, Tim Hortons’ mobile app also collected location data and tracked users in the background.
The four privacy commissioners have jointly recommended that Tim Hortons:
- Delete any remaining location data and direct third-party service providers to do the same;
- Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
- Report back with the details of measures it has taken to comply with the recommendations.
The fast-food chain has accepted all of the recommendations.
Allegations of privacy law violations also resulted in four class-action lawsuits against the fast-food giant in B.C., Ontario, and Quebec. These findings will likely guide the outcome of the class actions.