By Jim Bronskill, The Canadian Press
OTTAWA — The Tim Hortons mobile ordering app violated the law by collecting vast amounts of location information from customers, an investigation by federal and provincial privacy watchdogs has found.
In a report released Wednesday, privacy commissioners say people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes, even when the app was not open on their phones.
The investigation came after National Post reporter James McLeod obtained data showing the Tim Hortons app on his phone had tracked his location more than 2,700 times in less than five months.
Federal privacy commissioner Daniel Therrien did the probe with privacy commissioners from British Columbia, Quebec and Alberta.
“Our joint investigation tells yet another troubling story of a company that failed to ensure proper design of an intrusive technology, resulting in a mass invasion of Canadians’ privacy,” Therrien said.
“It also highlights the very real risks related to location data and the tracking of individuals.”
The commissioners found the Tim Hortons app asked for permission to access a mobile device’s geolocation functions, but misled many users to believe information would be accessed only when the app was in use.
However, the app tracked users as long as the device was on, continually gathering their location data.
The commissioners say Tim Hortons collected “vast amounts” of granular location data with the aim of delivering targeted advertising, to better promote its coffee and associated products, but that it never actually used the data for this purpose.
The app used location data to infer where users lived, where they worked and whether they were travelling, the watchdogs found.
It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue or their home or workplace, the commissioners said in a joint news release.
“The investigation uncovered that Tim Hortons continued to collect location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so,” the statement said.
“The company says it only used aggregated location data in a limited way, to analyze user trends — for example, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.”
While Tim Hortons stopped continually tracking users’ locations in 2020, after the probe was launched, this did not eliminate the risk of surveillance, the watchdogs say.
The investigation found that Tim Hortons’ contract with a U.S. third-party location services supplier contained language so “vague and permissive” that it would have allowed the company to sell “de-identified” location data for its own purposes.
There is a real risk that such geolocation data could be “re-identified,” the watchdogs warned.
“Geolocation data is incredibly sensitive because it paints such a detailed and revealing picture of our lives,” Therrien said.
Surveillance of our everyday movements reveals where people live and work, as well as information about visits to a medical clinic or place of worship, he added.
“It can be used to make deductions about sexual preferences, social political affiliations and much more.”
Tim Hortons agreed to implement recommendations that the company:
— delete any remaining location data and direct third-party service providers to do the same;
— establish and maintain a privacy management program for apps; and
— report on measures it has taken to comply with the recommendations.