In 2019, the multinational fast-food chain updated its smartphone app, which enabled it to collect location data from users’ devices “as often as every few minutes” even when the app was not open. As a result, Tim Hortons was able to track users closely and infer information like their home and work addresses, and when they visited its competitors. Canadian privacy regulators have determined that this data collection was excessive, and Tim Hortons did not get valid user consent. TDL, Tim Hortons’ parent company, stopped collecting users’ “granular location data” in 2020. It has also agreed to delete all the collected data, and any inferences made.
Investigation Into Tim Hortons
Concerns about Tim Hortons’ data collection practices first arose in June 2020. James McLeod, a journalist with the Financial Post, published an article detailing the extent to which Tim Hortons’ app tracked his movements. McLeod said the app logged his coordinates over 2,700 times in five months, even when he was not using the app. The Office of the Privacy Commissioner of Canada (OPC) and the provincial authorities of Quebec, Alberta, and British Columbia decided to look into the issue in June 2020. The regulators found that in May 2019, Tim Hortons released a new version of its app, and received assistance from US-based third-party service provider, Radar, to track and collect user data, and provide the company with more information based on inferences. Tim Hortons supposedly collected this information to deliver targeted ads, promoting its products. However, it did not use the information for this purpose. In fact, it only used the information “on an aggregated, de-identified basis to conduct limited analytics related to User trends.”
Privacy Regulators’ Findings
The Canadian privacy regulators’ investigation focused on two key questions. First, whether the company collected and used location data, and whether it was appropriate, reasonable, and fulfilled a legitimate need. Second, whether the company obtained valid consent from its users to do so. The investigation found that the company did not need to collect such large amounts of sensitive location data. Furthermore, it never used the data for the stated purpose. Tim Hortons also did not obtain valid consent from the users of its app to track them. The company did not inform users that the app would collect location data even when it was not in use. It never completely explained the extent of the data collection, keeping its data practices in the dark. “Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.” Daniel Therrien, Canada’s Privacy Commissioner, said.
Concerns About Data Sharing With Third Parties
The regulators also expressed concerns about Tim Hortons’ data-sharing agreements with third parties like Radar. While they have not conducted an in-depth review of these agreements, they are unsure if there are sufficient privacy protection clauses. The regulators have recommended that Tim Hortons deletes all remaining granular location data, and adopt and maintain a privacy management program. In August 2020, shortly after the regulators announced they would look into Tim Hortons’ data practices, the company stopped collecting granular location data. The company has committed to deleting all the stored granular location data, and any inferences derived from it. It has directed its third-party service providers to do the same. Tim Hortons will also set up and maintain a privacy management program to ensure its app, and any future apps it releases, comply with Canadian privacy laws. The privacy regulators are not taking any action against the company at this time. Food delivery apps are growing in popularity, and offer easy access to some of our favorite foods and beverages. While they certainly make life a lot easier, can you trust them with your personal information? Check out this article to learn more about the security and privacy of some of the most popular food delivery apps, and how to keep your data safe.
