The study found that this extensive and ongoing collection of geolocation data from Tim Hortons was disproportionate to the benefits Tim Hortons could have expected from enhanced targeted advertising promoting their coffee and other products.
The Office of the Privacy Commissioner of Canada, the Commission on Access to Quebec Information, the Office of the Information and Privacy Commissioner of British Columbia and the Office of the Information Commissioner and Alberta Privacy Shield today released their report on results.
While the Tim Hortons app requested permission to access the mobile device’s location-based services, it nevertheless misled many users into believing that data access would only take place when the app was open. In fact, the app tracked users as soon as their device was turned on, and continuously collected their geolocation data.
The application also used geolocation data to derive where users lived and worked, in addition to determining if they were on the move. It generated an “event” each time users entered or left the following locations: Tim Horton’s competitors, major sports venues, residence, and workplace.
The study found that Tim Hortons continued to collect large amounts of geolocation data for a year after going back on plans to use it for targeted advertising, even though it had no legitimate need for it.
The company claimed that it only used aggregated geolocation data to a limited extent to analyze user trends – for example, to determine if a user had switched coffee bar chains and how users’ movements had changed when the pandemic took hold.
Tim Hortons stopped continuously tracking user placement data in 2020 after the survey began. However, this decision did not eliminate the risk of surveillance. The investigation found that Tim Hortons’ contract with a US third-party location-based service provider contained such a broad and loose language that the third party could have sold the “deidentified” location-based data for its own purposes.
There is a real risk that deidentified geolocation data may be re-identified. A research report from the Office of the Privacy Commissioner of Canada highlighted how easy it is to identify individuals through their movements.
Geolocation data is extremely sensitive as it can be used to deduce people’s residence or work and to reveal trips to a medical clinic. These data can be used to draw conclusions about religious beliefs, sexual preferences, socio-political affiliations and more.
Organizations should establish strong contractual security measures to restrict service providers’ use and disclosure of user data obtained through their application, including in unidentified form. Failure to do so may put users at risk of having their data used by data collectors in ways they never expected, including for profiling purposes.
The investigation also revealed that Tim Hortons had not established a rigorous privacy management program for the application, which would have enabled the company to identify and prevent many of the breaches revealed during the investigation.
The four privacy authorities have made the following recommendations to Tim Hortons:
Delete any remaining geolocation data and require third-party service providers to do the same;
Establish and maintain a privacy management program that includes the following: privacy impact assessments for that application and any other applications that may be launched, a process to ensure that the information collected is necessary and appropriate with the identified privacy implications and mechanisms to ensure that privacy-related communications are consistent with and adequately take into account the app’s practices;
Report in detail on the steps the company has taken to comply with the recommendations.
Tim Hortons has agreed to implement these recommendations.
“Tim Hortons has gone too far in gathering a huge amount of very sensitive information about its customers. Tracking people’s movements every few minutes every day was clearly an inappropriate form of surveillance. This case once again reveals the damage that poorly designed technologies can cause. It also highlights the need for strong laws to protect Canadians’ privacy. » – Daniel Therrien, Canada’s Privacy Commissioner
“This report eloquently illustrates the risks associated with the use of geolocation and the importance of transparent and responsible privacy practices. Without proper due diligence, Tim Hortons collected sensitive customer information through his app without their proper knowledge or consent. It is to put an end to this type of practice, that Quebec has reviewed its legislation that protects personal data in order to give more power to the Commission and to make companies more accountable. ” -Me Diane Poitras, President of the Commission for Access to Quebec Information
“This study sends a clear message to organizations that you can not spy on your customers just because it’s part of your marketing strategy. Not only is this type of information gathering a violation of the law, it is also a complete breach of trust with customers. The good news in this case is that Tim Hortons agreed to follow our recommendations, and I hope other organizations can learn from this study. » – Michael McEvoy, British Columbia Information and Privacy Commissioner
“This study is another example of an organization not effectively informing its customers about its practices. Tim Horton’s customers did not have the information necessary to consent to the site tracking that actually took place. When people download and use this type applications, it is important that they know in advance what will happen to their personal information and that organizations respect their obligations. ” – Jill Clayton, Alberta Information and Privacy Commissioner