Canadian investigators determined Users of the Tim Hortons coffee chain’s mobile app “track and record their movements every few minutes every day” even when the app isn’t open, violating the country’s privacy laws.
“The Tim Hortons app asks for permission to access the geolocation capabilities of mobile devices, but misleads many users into thinking that information can only be accessed while the app is in use. In fact, the app tracks users as long as the device is on, continuously collect their location data,” according to announced Wednesday Provided by the Office of the Privacy Commissioner of Canada. The federal office is working with provincial authorities in Quebec, British Columbia and Alberta to investigate Tim Hortons.
“The app also uses location data to infer where users live, work and whether they are traveling,” the Privacy Commissioner’s Office said. “Every time a user enters or leaves a Tim Horton competitor, a major stadium, or their home or workplace, it generates an ‘event’.”
The Privacy Commissioner’s Office said Tim Hortons dropped plans to use the app for targeted advertising but “continues to collect large amounts of location data” for a year “even though it has no legitimate need to do so”. Tim Hortons said it uses aggregated location data “to analyze user trends — for example, whether users are turning to other coffee chains, and how users’ activities have changed as the pandemic has spread,” the federal office said.
“Inappropriate form of surveillance”
“Tim Hortons has clearly crossed the line by collecting a huge amount of highly sensitive information about his customers,” said Canada’s Privacy Commissioner Daniel Therrien. “Tracking people’s every few minutes every day is clearly an inappropriate form of surveillance.”
Tim Hortons stopped continuous tracking of user locations in 2020 after the government opened an investigation. But this “does not eliminate the risk of surveillance” because “Tim Hortons’ contract with a third-party location service provider in the US contains language so vague and permissive that it allows the company to sell ‘de-identification’ for it location data. Its own purposes,” said the Office of the Privacy Commissioner. As the office noted, “there is a real risk of re-identification of de-identified geolocation data.”
Tim Hortons agreed to implement the agency’s recommendations, but apparently with no penalty.This Investigation report said Tim Hortons’ commitment “will bring the company into compliance” with Canadian law, so “we believe this matter is well-founded and conditionally resolved.” That’s language used When an organization violates Canadian privacy laws but “commits to implement satisfactory corrective measures.”
Tim Hortons agreed to “delete any remaining location data and instruct third-party service providers to do so,” implementing a privacy program that “includes privacy implications for the app and any other apps it launches,” the announcement said. assessment,” implementing “a process to ensure that information collection is necessary and proportional to the identified privacy impact,” and that “privacy communications comply with and adequately explain application-related practices.” Tim Hortons also agreed to report its compliance with the government. Regulatory details.
Reporter found violation of privacy
The investigation began in the Financial Post in June 2020 Report It’s titled “Double Tracking: How Tim Hortons Knows Where You Sleep, Work, and Vacation.” Journalist James McLeod found that “Tim Horton recorded my latitude and longitude coordinates more than 2,700 times in less than five months, and not just while I was using the app,” although the app “told customers It only tracks location” you opened the app. ‘”
Tim Hortons’ statement said: “In June 2020, we took immediate steps to improve the way we communicate with guests about the data they share with us and began to review our privacy practices with external experts. Shortly thereafter, we voluntarily removed data from Reports from the Tims app. Data from this geolocation technology has never been used for personalized marketing to individual guests. The use of this data is very limited and is only done on an aggregated, de-identified basis to study trends in our business – RESULTS It does not contain personal information from any guests.”
Alberta Information and Privacy Commissioner Gil Clayton said the investigation provided “another example of an organization failing to effectively notify customers of its practices. Tim Hortons’ customers did not have enough information to consent to location tracking that actually occurred. .”
This story originally appeared in Ars Technica.