Coffee giant Tim Hortons used a mobile app to track people’s movements without their consent, a report from four Canadian privacy watchdogs has found.
“This continual and vast collection of location information resulted in a loss of app users’ privacy that is not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted advertising promoting its coffee and associated products,” the said.
For Privacy Commissioner of Canada Daniel Therrien, the case is unacceptable and gravely serious. Moreover, it presents mass surveillance concerns, something he said the company appeared to have given little thought.
“As a society, we would not accept it if the government wanted to track our movements every minute of every day,” Therrien said.
But that’s what the company did, he said.
“People were simply misled,” Therrien said. “You simply cannot consent on that basis.”
The problem, the report said, is that tracking people’s movements can give companies insights into sensitive data. That includes trips to medical clinics indicative of specific medical treatments or illness, while other locations can lead to deductions about religious beliefs, sexual preferences, social and political affiliations as well as other information such as a person living at a sexual or domestic abuse shelter or working at a prison.
While data may be anonymized, research shows it can be re-identified, added Therrien.
“Only DNA is harder to anonymize,” he said.
СÀ¶ÊÓƵ commissioner Michael McEvoy said such behaviour is both contrary to the law and erodes trust between customers and companies.
“This case is a clear lesson to all organizations to think before collecting,“ McEvoy said.
The report said from the app's 2017 launch to July 2020, there were more than 8.6 million Canadian downloads.
In July 2020, there were one million app users. Two months before, 14 percent of them were British Columbians.
McEvoy said that's "a couple hundred thousand British Columbians."
The joint investigation was done by the federal Office of the Privacy Commissioner of Canada and the provincial offices in СÀ¶ÊÓƵ, Alberta and Quebec.
User alertness
McEvoy told Glacier Media users can read the user agreements but added such things are convoluted and that emphasis should be on organizations to be clear about what they are doing with such apps.
Consumer alertness only goes so far given the complexity of the situation, added Therrien. That, he said, is at the heart of why commissioners have called repeatedly for legal reform to make sure the regulators can more effectively ensure compliance with the law.
"Consumers and citizens, in addition to being alert, need to be assured there is some independent body that can have their back and intervene when intervention is required," he said.
All commissioners agreed the case is one more that demands legislators strengthen privacy laws and give watchdogs greater powers to ensure people’s privacy is protected. That includes СÀ¶ÊÓƵ, McEvoy said.
"Our investigation today clearly called for that," McEvoy said.
The system remains complaint-driven, the СÀ¶ÊÓƵ commissioner noted, and that's a problem without watchdogs being able to engage in proactive auditing of such situations.
"In this day and age, people never have an idea what to complain about," he said. "The average consumer has no idea what is transpiring."
Therrien said as the probe focused on Tim Hortons, it is not known if any other companies are behaving in a similar fashion.
Asked if it was happening, though, Therrien responded: “Clearly, the answer is yes. Are there sufficient safeguards? Clearly not.”
He said companies should be obligated to assess privacy risks before embarking on a venture. And there should be appropriate financial penalties in law for violations, he said.
The Tim Hortons app investigation
The investigation was launched in June 2020 after concerns about whether or not the Canadian operator and franchisor of Tim Hortons, The TDL Group Corp. and its parent company Restaurant Brands International Inc. (“RBI”) were obtaining meaningful consent from app users to collect and use their geolocation data.
In August 2020, after being notified of the investigation, TDL permanently ceased collecting granular location data via the app for purposes of targeted advertising.
The company has already agreed to delete the data collected.
“Tim Hortons has stated that it is no longer using granular location data,” the report said. “It never used the information for the purpose of targeted advertising.”
The investigation arose largely from a news article where the author detailed discovering that despite granting the Tim Hortons app permission to access the location functionality of his mobile phone while the app was open, the app was tracking his location even when it was closed.
In fact, it tracked him more than 2,700 times in less than five months. It gathered data on where he lived and worked, when travelling more than 100 kilometres from his home, and noted when it believed he entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway.
“In addition to tracking the author’s location within Canada, the app also tracked his location while on vacation in Europe and northern Africa,” the report said.
The commissioners said Tim Hortons did not collect and use the data for an appropriate purpose in the circumstances.
What users would see when starting to use the app differed between operating systems:
- Android: “Allow Tim Hortons to access your location while you are using the app? We use your location to help you find nearby restaurants and provide you with more relevant marketing & offers.”, and;
- iOS: “We use your location to help you find nearby restaurants and provide you with more relevant marketing & offers.”
The report said the company told users data collection would only occur when the app was open.
“These were misleading statements, not consistent with the actual operation of the app," the report said.