OTTAWA-
Tim Hortons’ mobile order enforcement violated the law by collecting large amounts of customer location information, according to an investigation by federal and provincial privacy agencies.
In a report released Wednesday, privacy commissioners say people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes, even when the app was not open on their phones.
The investigation came after National Post reporter James McLeod obtained data showing that the Tim Hortons app on his phone had tracked its location more than 2,700 times in less than five months.
Federal Privacy Commissioner Daniel Therrien conducted the investigation with privacy commissioners from British Columbia, Quebec and Alberta.
“Our joint investigation tells another troubling story of a company that failed to ensure the proper design of an intrusive technology, leading to a massive invasion of Canadian privacy,” Therrien said.
“It also highlights the very real risks associated with location data and tracking individuals.”
The commissioners found that the Tim Hortons app was asking for permission to access the geolocation features of a mobile device, but deceived many users into believing that the information would only be accessed when the app was in use.
However, the app tracked users while the device was on, continuously collecting their location data.
Commissioners say Tim Hortons collected “large amounts” of granular location data for targeted advertising, to better promote his coffee and associated products, but never used the data for this purpose. .
The app used location data to infer where users lived, where they worked, and if they traveled, found the guards.
It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace, commissioners said in a joint press release.
“The investigation found that Tim Hortons continued to collect location data for a year after abandoning plans to use it for targeted advertising, although he had no legitimate need to do so,” he said. press release.
“The company says it only used limited aggregate location data to analyze user trends, such as whether users switched to other coffee chains and how users’ movements changed as they moved. pandemic consolidated “.
Although Tim Hortons stopped monitoring users’ locations continuously in 2020 after the probe was launched, this did not eliminate the risk of surveillance, watchdogs say.
The investigation found that Tim Hortons’ contract with a U.S. location service provider contained such “vague and permissive” language that it would have allowed the company to sell “unidentified” location data for its own purposes. .
There is a real risk that this geolocation data could be “re-identified,” control agencies warned.
“Geolocation data is incredibly sensitive because it paints such a detailed and revealing picture of our lives,” Therrien said.
Monitoring our daily movements reveals where people live and work, as well as information about visits to a medical clinic or place of worship, he added.
“It can be used to make deductions about sexual preferences, social political affiliations and more.”
Tim Hortons agreed to implement the company’s recommendations:
- delete the remaining location data and ask third-party service providers to do the same;
- establish and maintain a privacy management program for applications; i
- report on the measures taken to comply with the recommendations.
This report from The Canadian Press was first published on June 1, 2022