Canada’s largest fast-food chain violated privacy laws by tracking people who used its app, gathering their location data hundreds of times a day – even when the app was not in use.
That is the finding of a joint investigation by Canadian privacy officials into Tim Hortons’ surveillance of customers through an app installed on millions of mobile phones. But while the coffee-and-doughnuts chain owned by Toronto-based Restaurant Brands International Inc. QSR-T will have to change its privacy practices, it faces no fines or financial penalties for the breach.
The investigation, launched in 2020, found that the app’s permissions “misled many users” by suggesting that it would only gather their information while they were using it. Tim Hortons has said it scaled back on tracking users’ locations in 2020, but privacy officials found that the company’s contract with its third-party location-services supplier contained language that could have allowed the supplier to sell de-identified location data. Such de-identified data carries a risk that it can be reidentified and linked to individuals.
“The location tracking ecosystem – where intimate details of our daily lives are treated as a commodity to be exploited to sell us products and services such as a cup of coffee – heightens the risk of mass surveillance,” Privacy Commissioner Daniel Therrien said at a news conference on Wednesday.
The investigation was conducted by the federal privacy commissioner with counterparts in Quebec, British Columbia and Alberta. The officials have told Tim Hortons to delete any data it still holds on customers’ locations, and to instruct third-party data service providers to do the same. They also have told Tim Hortons to create a privacy-management program for any apps, and to improve privacy communications. The company will report on its progress.
Tim Hortons has begun work on implementing the recommendations, director of communications Michael Oliveira wrote in a statement on Wednesday, adding that the officials have not required the company to change the app itself.
The company faces no financial penalties related to the case because it has accepted the recommendations. The federal commissioner cannot impose fines, although the provincial authority in Quebec can. Privacy commissioners across the country have advocated for changes, including more authority to hand down fines in such cases, and the ability to launch proactive investigations rather than responding to reports of wrongdoing, as they did in this case. Concerns that the Tim Hortons app was tracking users’ movements were first reported in a 2020 National Post article.
“In my view, what happened here once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians,” Mr. Therrien said.
The investigation centred on an estimated 1.6 million mostly Canadian customers whose movements were tracked between the spring of 2019 until Tim Hortons removed the geolocation tracking technology in the summer of 2020.
The Tim Hortons app has since grown much more popular, with more than 4.3 million monthly active users currently. It was second only to Amazon among the most used e-commerce apps in Canada as of the end of March, the company’s chief operating officer, Matt Moore, said in a presentation to investors last month.
The scale of the data collected in 2019 and 2020 was “vast,” according to the privacy commissioners. Whenever the software detected that a device was moving, it generally collected location data every 2.5 to six minutes, depending on the version of the app being used, they wrote.
Tim Hortons is not alone in gathering data on customers through apps. In releasing their findings, the privacy commissioners put other companies in Canada on notice.
“You can’t spy on your customers just because it fits in your marketing strategy,” said Michael McEvoy, Information and Privacy Commissioner for British Columbia. “Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust.”
In late 2020, the Trudeau government proposed an update to the federal private-sector privacy law that would have put stronger guardrails around the collection of personal data, including tougher penalties for violations. That legislation died when last fall’s election was called, but a replacement “will be tabled in due course,” Laurie Bouchard, a spokesperson for Industry Minister François-Philippe Champagne, wrote in an e-mailed statement.
With potentially stiffer penalties coming, companies should be ensuring that customers are clear about what information they are sharing by using such services, said Paige Backman, a partner and co-chair of the privacy and data security group at law firm Aird & Berlis LLP.
“Anybody who is counselling business should appreciate that the case of years gone by – where [the consequences were] just a public embarrassment – will not be the case going forward,” Ms. Backman said.
The investigation’s findings could also bolster the claims of four proposed class-action lawsuits launched in Canada, which claim Tim Hortons was not clear enough about the scope of information it was collecting on customers. Radar Labs Inc., a U.S. company that helped develop the software, is named as a co-defendant in two of the four Canadian lawsuits.
The privacy commissioners said Tim Hortons did not adequately inform customers about location tracking, a necessary step under the law to obtain “meaningful consent.”
The report stated that the company “made misleading statements” in some permission requests and in frequently-asked-questions (FAQ) lists, suggesting it would collect data only when the app was in use.
While Tim Hortons used the geographic tracking for “limited” purposes, the privacy commissioners wrote that by collecting customer data on such a scale, the company invited potential abuses and invasions of privacy.
“Trips to a medical clinic can be indicative of specific medical treatments or illness, while other locations can lead to deductions about an individual’s religious beliefs, sexual preferences, social and political affiliations and more.”
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.