It states Canadian investigators that users of the Tim Hortons coffee chain’s mobile app “get tracked and record their movements by a few minutes every day”, even when the app was not open, in violation of the country’s privacy laws.
“The Tim Hortons app asked for permission to access the mobile device’s geolocation features, but misled many users into believing that information would only be accessed when the app was in use. In fact, the app tracked users as long as the device was turned on, and collected their location data on an ongoing basis, “according to a announcement Wednesday by the Canadian Office of the Privacy Commissioner. The federal office collaborated with provincial authorities in Quebec, British Columbia and Alberta in the investigation of Tim Hortons.
“The app also used location data to deduce where users lived, where they worked, and whether they traveled,” the Office of Privacy Commissioner said. “It generated an ‘event’ every time users walked in or left a Tim Hortons competitor, a major sports venue, or their home or workplace.”
Tim Hortons scrapped plans to use the app for targeted advertising, but “continued to collect huge amounts of location data” for another year, “even though it had no legitimate need to do so,” the Office of Privacy Commissioner said. Tim Hortons said it used aggregated location data “to analyze user trends – for example, whether users switched to other coffee chains and how users’ movements changed as the pandemic took hold,” the federal office said.
“Inappropriate form of surveillance”
“Tim Hortons clearly crossed the line by gathering a huge amount of very sensitive information about his customers,” said Canada’s Privacy Commissioner Daniel Therrien. “Following people’s movements every few minutes every day was clearly an inappropriate form of surveillance.”
Tim Hortons halted ongoing tracking of users’ location in 2020 after the government began investigating the matter. But it “did not eliminate the risk of surveillance” because “Tim Hortons’ contract with a US third-party location service provider contained the language so vague and lenient that it would have allowed the company to sell ‘deidentified’ location data for its own purposes,” the privacy commissioner said. . As the office noted, “there is a real risk that deidentified geolocation data may be re-identified.”
Tim Hortons agreed to implement the agencies’ recommendations, but will apparently not face any punishment. That survey report said that Tim Hortons’ commitment “will bring the company into line” with Canadian law and that “we therefore find that this case is well-founded and conditionally resolved.” That’s it used language when an organization violates Canadian privacy laws but has “committed to implement satisfactory corrective actions.”
The announcement said Tim Hortons agreed to “delete any remaining location data and order third-party service providers to do the same,” implement a privacy program that “includes privacy impact assessments for the app and all other apps it launches,” implement “a process to ensure , that the collection of information is necessary and proportionate to the identified impacts on privacy, “and ensure” that privacy communications are consistent with and adequately explain app-related practices. ” Tim Hortons also agreed to report back to the government with details of its compliance.
Reporter revealed invasion of privacy
The investigation began after a financial item from June 2020 report titled “Double-Double Tracking: How Tim Hortons Knows Where You Sleep, Work, and Vacate.” Reporter James McLeod found that “Tim Hortons had recorded my latitude and longitude coordinates more than 2,700 times in less than five months, and not just when I used the app,” though the app “told customers it only tracks location when you have the app open. “
Tim Hortons’ statement said: “In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us, and began reviewing our privacy practices with external experts. Shortly thereafter, we proactively removed that geolocation technology, described in the report from the Tims app.Data from this geolocation technology was never used for personal marketing for individual guests.The very limited use of this data was on an aggregated, deidentified basis to study trends in our business – and the results did not contain personal information from any guests. “
Alberta Information and Privacy Commissioner Jill Clayton said the investigation provides “another example where an organization has not effectively informed customers of its practices. Tim Hortons’ customers did not have enough information to give consent to the site tracking that actually took place. “
This story originally appeared on Ars Technica.