The federal privacy commissioner’s investigation into Tim Hortons ’mobile app found that the app was collecting unnecessarily large amounts of data without getting proper user consent.
He reportwhich was released Wednesday morning, states that Tim Hortons collected granular location data for targeted advertising and product promotion purposes, but that the company never used the data for these purposes.
“The consequences associated with the collection of this data by the application, the vast majority of which were collected when the application was not in use, represented a loss of user privacy that was not commensurate with the benefits potential that Tim Hortons could have hoped to get from the targeted promotion of his coffee and associated products for improvement, ”the report says.
The joint investigation was launched about two years ago by the Office of the Privacy Commissioner of Canada along with similar authorities in BC, Quebec and Alberta. It came after the Financial Post report found that the Tim Hortons app tracked users’ geolocation while users were not using the app.
Geolocation data collected from third parties
Tim Hortons used an external service provider, Radar, to collect geolocation data from users. In August 2020, Tim Hortons stopped collecting location data.
However, the investigation found that there was a lack of contractual protections for users’ personal information while it was being processed by Radar. The report describes the language of the contract terms as “vague and permissive”, which could have allowed Radar to use the personal information collected in an aggregated or unidentified manner for its own business.
“While we accept that Radar did not make use of or disclose for its own purposes, the contractual language in this case does not appear to constitute adequate protection, by Tim Hortons, of users’ personal information,” says l ‘report.
The report states that Tim Hortons also agreed to delete all granular location data and that third-party service providers do the same, as recommended by privacy authorities. The company also agreed to establish a privacy management program for its application and all future applications to ensure that they comply with federal and provincial privacy legislation.
The federal law governing privacy issues is known as the Personal Data and Electronic Documents Protection Act, or PIPEDA.
Given these remedies, the report found that while Tim Hortons’ application did not comply with privacy laws, he has since taken steps to resolve the issues.
“We have strengthened our in-house privacy best practices and continue to focus on ensuring that guests can make informed decisions about their data when using our app,” a statement said. Wednesday by Tim Hortons. .