Privacy Watchdogs – Revelstoke Review

Tim Hortons mobile ordering app broke the law by collecting large amounts of location information from customers, an investigation by federal and provincial privacy watchdogs has found.

In a report released Wednesday, privacy commissioners said people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes, even when the app wasn’t open on their phone. telephone.

The investigation came after National Post reporter James McLeod obtained data showing the Tim Hortons app on his phone had tracked his location more than 2,700 times in less than five months.

Federal privacy commissioner Daniel Therrien led the survey of privacy commissioners in British Columbia, Quebec and Alberta.

“Our joint investigation tells another troubling story of a company failing to properly design intrusive technology, resulting in a massive invasion of Canadians’ privacy,” Therrien said.

“It also highlights the very real risks associated with location data and the tracking of individuals.”

Commissioners found that the Tim Hortons app requested permission to access a mobile device’s location-based features, but misled many users into believing the information would only be accessible when the app was in use.

However, the app tracked users as long as the device was on, continuously collecting their location data.

Commissioners say Tim Hortons collected ‘large amounts’ of granular location data for the purpose of delivering targeted advertisements, better promoting its coffee and related products, but never actually used the data to this end.

The app used location data to infer where users lived, where they worked and if they traveled, watchdogs found.

It generated an “event” each time users entered or left a Tim Hortons competitor, major sports venue, or their home or workplace, the commissioners said in a joint press release.

“The investigation revealed that Tim Hortons continued to collect location data for a year after it discontinued its intention to use it for targeted advertising, even though it had no legitimate need to do so,” the report said. communicated.

“The company says it has only used aggregated location data in a limited way, to analyze user trends – for example, whether users have moved to other coffee chains and how user movements have changed. changed as the pandemic took hold.”

Tim Hortons said Wednesday the company took immediate steps in 2020 to improve how it communicates with customers about the data they share with the company, and began reviewing its privacy practices with external experts.

“Shortly thereafter, we proactively removed the geolocation technology described in the report from the Tims app,” the company said in a statement. “The very limited use of this data was on an aggregated and anonymized basis to study trends in our business.”

Although Tim Hortons stopped permanently tracking users’ locations after the privacy investigation began, that hasn’t ended the surveillance risk, according to watchdogs.

The investigation found that Tim Hortons’ contract with a US third-party location services provider contained language so “vague and permissive” that it allegedly allowed the provider to sell “anonymized” location data for its own purposes.

There is a real risk that this geolocation data will be “re-identified”, watchdogs have warned.

“Geolocation data is incredibly sensitive because it paints such a detailed and revealing picture of our lives,” Therrien said.

Monitoring daily movements reveals where people live and work, as well as information about visits to a medical clinic or place of worship, he added. “It can be used to make inferences about sexual preferences, social political affiliations and much more.”

Tim Hortons has agreed to implement the recommendations that the company:

— delete all remaining location data and order third-party service providers to do the same;

— establish and maintain a privacy management program for applications; and

— report on the measures it has taken to comply with the recommendations.

Tim Hortons said the company has bolstered its internal team working to improve privacy best practices and continues to focus on ensuring customers “can make informed decisions about their data when using our app.”

—Jim Bronskill, The Canadian Press

privacyTim Hortons

Lance B. Holton