Tim Hortons’ application violated privacy laws by collecting “large amounts” of sensitive location data
GATINEAU, QC, June 1, 2022 – People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of the law of Canadian Privacy, a joint investigation by the federal and federal administrations. provincial privacy authorities have found.
The research concluded that Tim Hortons’ ongoing and extensive collection of location information was not commensurate with the benefits Tim Hortons hoped to gain from a better targeted promotion of its coffee and other products.
The Office of the Privacy Commissioner of Canada, the Quebec Access to Information Commission, the Office of the Information and Privacy Commissioner of British Columbia and the Office of the Alberta Information and Privacy Commissioner have released their findings report today.
The application Tim Hortons requested permission to access the geolocation features of the mobile device, but deceived many users into believing that the information would only be accessed when the application was in use. In fact, the app tracked users while the device was on, continuously collecting their location data.
The app also used location data to infer where users lived, worked, and traveled. It generated an “event” every time users entered or left a Tim Hortons competitor, a large sports venue, or their home or workplace.
The investigation found that Tim Hortons continued to collect large amounts of location data for a year after abandoning plans to use it for targeted advertising, although he had no legitimate need to do so.
The company says it only used aggregate location data in a limited way, to analyze user trends, for example, whether users switched to other coffee chains and how users’ movements changed as they moved. the pandemic consolidated.
Although Tim Hortons stopped continuously monitoring the location of users in 2020, after the start of the investigation, this decision did not eliminate the risk of surveillance. The investigation found that Tim Hortons’ contract with a U.S. location service provider contained such vague and permissive language that it would have allowed the company to sell “unidentified” location data for its own purposes.
There is a real risk that unidentified geolocation data may be re-identified. An investigation report from the Office of the Privacy Commissioner of Canada highlighted the ease with which people can be identified by their movements.
Location data is very sensitive because it can be used to infer where people live and work, to reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations, and more.
Organizations must implement strong contractual safeguards to limit the use and disclosure by service providers of the information of users of their applications, even in an unidentified manner. Failure to do so would result in data aggregators running the risk of using their data in a way they never imagined, including for a detailed profile.
The investigation also revealed that Tim Hortons did not have a robust privacy management program for the application, which would have allowed the company to identify and address many of the privacy violations found in the investigation.
The four privacy authorities recommended Tim Hortons:
- Delete the remaining location data and direct third-party service providers to do the same;
- Establish and maintain a privacy management program that: includes privacy impact assessments for the application and any other applications you launch; creates a process to ensure that the collection of information is necessary and proportionate to the identified privacy impacts; ensures that privacy communications are consistent and adequately explain application-related practices; i
- Please provide details of the steps you have taken to comply with the recommendations.
Tim Hortons agreed to implement the recommendations.
Quotes
“Tim Hortons clearly crossed the line, accumulating a lot of very sensitive information about his customers. Tracking people’s movements every few minutes every day was clearly an inadequate form of surveillance. This case again highlights the damage. which may stem from poorly designed technologies as well as the need for sound privacy laws to protect the rights of Canadians. ” – Daniel Therrien, Canadian Privacy Commissioner
“This report eloquently illustrates the risks inherent in using geolocation and the importance of transparent and accountable privacy practices. Without proper prior assessment, Tim Hortons collected sensitive information about his clients through the “It is to put an end to this type of practice that Quebec has revised its legislation that protects personal information, giving more powers to the Commission and making companies more responsible.” – Ms. Diane Poitras, President, Quebec Access to Information Commission
“This research sends a strong message to organizations that you can’t spy on your customers just because it fits in with your marketing strategy. This kind of information gathering is not only a violation of the law, it’s a total violation of “The good news in this case is that Tim Hortons has agreed to follow the recommendations we made, and I hope other organizations can learn from the results of this research.” – Michael McEvoy, Information and Privacy Commissioner of British Columbia
“This research is another example where an organization has not effectively notified clients of their practices. Tim Hortons’ clients did not have the right information to consent to tracking the location that was actually occurring. people go down and use these types of applications, it’s important for them to know in advance what will happen to their personal information and for organizations to live up to their commitments. ” – Alberta Information and Privacy Commissioner Jill Clayton
To read more:
Findings report
Statement: Comments from the Privacy Commissioner of Canada
Press Release: Privacy Commissioners Launch Joint Investigation into Tim Hortons Mobile App
Contact:
Office of the Privacy Commissioner of CanadaCommunications@priv.gc.ca
Quebec Information Access Commissionmedias@cai.gouv.qc.ca
Office of the British Columbia Information and Privacy Commissionerammitchell@oipc.bc.ca
Alberta SSibbald@oipc.ab.ca Information and Privacy Commissioner’s Office