The Tim Hortons App Investigation: A Call for Privacy Reform in Canada

As concerns about surveillance rise in an expanding digital era, Canadian restaurant giant Tim Hortons is one of the most recent firms to face scrutiny for privacy violations. The fast-food restaurant chain is owned by Restaurant Brands International, which owns Burger King, Popeyes, and Firehouse Subs. 

According to a joint investigation launched by the Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta in July 2020, consumers who downloaded the Tim Hortons app had their movements tracked and documented every few minutes of the day, even while the app was not active, in breach of Canadian privacy regulations.

The findings of the joint investigation conducted by the Canadian federal and provincial privacy authorities claim that the continuous and extensive collection of location data by the Tim Horton’s app was not proportionate to the benefits that the company sought to achieve from better-targeted advertising of its coffee and other items.

The app was downloaded about 10 million times between 2017 and 2020, with 8.6 million Canadian downloads and over 1 million worldwide. It currently has more than 1.6 million active users. 

According to the investigation, the app requested permission to use the mobile device’s geolocation features; however, many users were deceived into believing the information would be accessible only while the app was in use. The software monitored users for as long as the device was turned on, gathering location data continuously. 

It also used location data to determine where users lived, worked, and whether or not they were travelling. Every time a user entered or exited a Tim Horton’s competitor, their home or business, an “event” was logged. 

The inquiry revealed that Tim Hortons continued to gather heaps of location data for a year after abandoning plans to utilise it for targeted advertising, despite having no valid reason. According to the company, it only used aggregated location data in a limited way to assess user trends, such as whether consumers shifted to other coffee shops and how users’ movements changed as the pandemic spread.

While Tim Hortons ceased monitoring users’ movements in 2020, that action did not eliminate the potential of spying after the inquiry was initiated. According to the report, Tim Hortons’ contract with an American third-party location services supplier included wording so ambiguous and permissive that it would have permitted the firm to sell “de-identified” location data for its purposes.

There is a substantial danger of re-identification of de-identified geolocation data. A study conducted by the Office of the Privacy Commissioner of Canada revealed how readily persons might be recognised based on their movements. Location data is susceptible since it may identify where individuals live and work and journeys to medical facilities. It may deduce religious views, sexual preferences, social-political affiliations, and other information.

The investigation also revealed that Tim Hortons did not have a comprehensive privacy management policy for the app, which would have allowed the company to identify and resolve many of the privacy violations discovered.

Tim Hortons has agreed to implement the four privacy authorities’ recommendations which include:

• Deleting any residual location data and instructing third-party service providers to follow suit;
• Establish and maintain a privacy management programme that includes:
  • privacy impact assessments for the app and any other apps that it launches;
  • develop a process to ensure information collection is necessary and proportionate to the privacy impacts identified; 
  • ensure private communications are consistent with;
  • adequately explain app-related practices.
• Provide details on the steps it has made to comply with the suggestions. 

The Tim Hortons investigation began as a result of a June 2020 National Post news article detailing the author’s discovery that the app tracked his location more than 2,700 times in less than 5 months, both in Canada and while on vacation in Europe and Northern Africa, and not just when the app was in use.

The course of the investigation conducted by Canada’s federal and provincial privacy authorities showcases a dire need for privacy reform in the country. While Tim Hortons has agreed to comply with various suggestions from authorities, there is no monetary penalty associated with the probe, which the regulators described as a restriction of their jurisdiction. Neither Alberta nor British Columbia has the authority to levy fines. While Quebec has the authority to impose penalties, the maximum amount Tim Hortons could have faced was $10,000.

Like many other jurisdictions, Canada needs to restructure its privacy regime to authorise inquiries not just when there is a breach but also as a preventative measure. Consumers will eventually have confidence that when they partake in this digital economy, they may do so with confidence because regulators will be equipped with the necessary means, including the power to investigate effectively and verify compliance.

At an organisational level, businesses must put in place solid contractual controls to limit service providers’ use and disclosure of app users’ information, including de-identified information. Failure to do so puts those consumers in danger of having their data utilised in ways they never expected, such as extensive profiling, by data aggregators.

Other Resources:

Report of Findings

Statement: Remarks by Privacy Commissioner of Canada

News release: Privacy Commissioners launch a joint investigation into Tim Hortons mobile app