Tim Hortons app tracked too much personal information without adequate consent, investigation finds
App's data tracking resulted in loss of users' privacy, says report by federal, provincial authorities
The federal privacy commissioner's investigation into the Tim Hortons mobile app found that the app unnecessarily collected extensive amounts of data without obtaining adequate consent from users.
The commissioner's report, which was published Wednesday morning, states that Tim Hortons collected granular location data for the purpose of targeted advertising and the promotion of its products but that the company never used the data for those purposes.
"The consequences associated with the App's collection of that data, the vast majority of which was collected when the App was not in use, represented a loss of Users' privacy that was not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted promotion of its coffee and associated products," the report read.
The joint investigation was launched about two years ago by the Office of the Privacy Commissioner of Canada in conjunction with similar authorities in British Columbia, Quebec and Alberta. It came after reporting from the Financial Post found that the Tim Hortons app tracked users' geolocation while users were not using the app.
According to a presentation to investors shared in May, the restaurant chain's app has four million active users.
3rd party collected geolocation data
Tim Hortons was using a third-party service provider, Radar, to collect geolocation data of users. In August 2020, Tim Hortons stopped collecting location data.
However, the investigation found that there was a lack of contractual protections for users' personal information while being processed by Radar. The report describes the language in the contractual clauses to be "vague and permissive," which could have allowed Radar to use the personal information collected in aggregated or de-identified form for its own business.
"While we accept that Radar did not engage in a use or disclosure for its own purposes, the contractual language in this case would not appear to constitute adequate protection, by Tim Hortons, of Users' personal information," the report said.
The report states that Tim Hortons also agreed to delete all granular location data and to have third-party service providers do so as well, as per recommendations from the privacy authorities. The company also agreed to establish a privacy management program for its app and all future apps to ensure they are compliant with federal and provincial privacy legislation.
The federal law governing privacy issues is known as the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Given these remedies, the report found that while the Tim Hortons app was not compliant with privacy laws, the company has since taken measures to resolve the issues.
"We've strengthened our internal team that's dedicated to enhancing best practices when it comes to privacy and we're continuing to focus on ensuring that guests can make informed decisions about their data when using our app," a statement from Tim Hortons released on Wednesday said.
'Heightens the risk of mass surveillance'
The privacy commissioners responsible for the joint investigation held a teleconference with journalists on Wednesday, at which they forcefully condemned the privacy violations highlighted in the report.
"The location tracking ecosystem, where details of our daily lives are treated as a commodity to be exploited to sell us products and services such as a cup of coffee, heightens the risk of mass surveillance," said Daniel Therrien, Canada's privacy commissioner.
David Fraser, a privacy lawyer with the law firm McInnes Cooper in Halifax, said the findings of the investigation are a lesson not only for Tim Hortons but for any entity that creates an app that collects location data.
"Location information is generally recognized as being among the most sensitive information that can be collected because of the sort of inferences you can draw related to people's lifestyles, ... where they will tell you where they live, where they work, where they go," Fraser said.
Calls for stronger privacy legislation
Therrien said it's possible that other apps are in similar violation of privacy laws.
However, the current framework for investigations relies on complaints being brought forward to the commissioner's office. In this case, media reports prompted an investigation.
"We need to have the authority to start an investigation not to see if whether there is a fire, but preventatively to ensure compliance with the law," Therrien said, adding that preventative action would promote consumer trust.
The federal commissioner does not have the power to issue fines to entities found to be in violation of the PIPEDA. However, the Commission d'accès à l'information du Québec will soon be able to issue administrative monetary penalties, fines, binding orders and more. These new powers will go into effect in September 2023.
Michael McEvoy, B.C.'s information and privacy commissioner, said more powers need to be given to the offices of privacy commissioners.
"This turns the focus of the spotlight back on our elected assemblies and jurisdictions to take action," he said.
Karen Eltis, a University of Ottawa law professor and a faculty member of the university's Centre for Law, Technology and Society, said there's a general consensus among privacy experts that the laws and frameworks around privacy in Canada need to be "refreshed." Privacy expectations are evolving, she said, including the bar for consent when it comes to the collection of data.
"When we talked about consent five years ago, 10 years ago, we really meant checking a box, which I've criticized for a long time. Now we're looking at meaningful consent," Eltis said.
Vass Bednar, executive director of the master of public policy program at McMaster University in Hamilton, said the investigation highlights the need for more comprehensive laws that empower institutions to take swift action, including in the form of financial penalties.
"This investigation took two years. A whole lot has happened in the digital economy in two years. I've downloaded a bunch more apps since then," she said.
Bednar said the interests of the public need to be given more priority when assessing the costs and benefits of data collection by corporations.
"Some of the things they could learn about their customers I think is legitimately interesting," she said. "But in terms of that actual value to everyday people and the value to our broader economy, it's just not there."
Company faces several class-action lawsuits
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class-action lawsuits in relation to its mobile app.
The lawsuits were launched after the Financial Post's reporting on the collection of geolocation data.
Fraser said that while the findings of the commissioners' investigation will be relevant to the lawsuits, a different standard would be applied in court, including whether the intrusion of privacy would be "highly offensive to a reasonable person."
"The court has to make its own determination of the facts. The court can't kind of delegate over to say, 'Well, here's what the privacy commissioner found, and therefore we're going to believe this,'" he said.