OTTAWA (LifeSiteNews) – A Canadian Privacy Commissioner report found coffee giant Tim Hortons guilty of tracking its smartphone application users without their consent, even when the app was not in use.
In a scathing ruling released June 1, Privacy Commissioner Daniel Therrien spared no words in response to Tim Hortons’ blatant abuse of one’s digital privacy.
“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers,” Therrien said, according to a press release from the Office of the Privacy Commissioner of Canada.
“Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.”
According to the report’s findings, those who downloaded the Tim Hortons app had not only their movements tracked “and recorded every few minutes of every day, even when their app was not open,” but also where they lived and worked, as well as their traveling habits.
The report found that this was “in violation of Canadian privacy laws.” As a result, the company will make changes to its procedures.
“The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products,” the Office of the Privacy Commissioner said.
While the Tim Hortons app, like most others, asked a person for permission to access the mobile device’s geolocation functions,” the report concluded that the coffee giant’s app “misled many users to believe information would only be accessed when the app was in use.”
“In reality, the app tracked users as long as the device was on, continually collecting their location data,” concluded the report, adding that it generated an “event” every time users “entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.”
The report’s findings came after a 23-month review by the Office of the Privacy Commissioner of Canada, along with three provincial counterparts, the Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta.
In 2020, the Office of the Privacy Commissioner of Canada, along with the three provincial counterparts, launched a joint investigation into Tim Hortons mobile app.
The investigation was launched to determine “whether Tim Hortons is in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.”
Tim Hortons stopped its continuous tracking of users in 2020, shortly after the privacy investigation was launched. However, the report said, “that decision did not eliminate the risk of surveillance.”
Data collection went on for ‘year’ after plans were tossed to use data for targeted advertising
The recent reports findings stated that the investigation by the Office of the Privacy Commissioner also “uncovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.”
According to Tim Hortons, it said it only used “aggregated location data in a limited way” to analyze user trends.
“The investigation found that Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its own purposes,” the report said.
“There is a real risk that de-identified geolocation data could be re-identified. A research report by the Office of the Privacy Commissioner of Canada underscored how easily people can be identified by their movements.”
As location data is highly sensitive, the Office of the Privacy Commissioner of Canada said that “organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form.”
Tim Hortons has agreed to implement the following recommended actions:
- Delete any remaining location data and direct third-party service providers to do the same;
- Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
- Report back with the details of measures it has taken to comply with the recommendations.
Alarm bells over Canadians’ privacy had been sounding throughout the country with more frequency since Prime Minister Justin Trudeau came to power in 2015.
Recently, the Trudeau government announced it is working with top airlines and hopes to mandate all travelers use a form of “digital identity documents” complete with facial recognition biometric data for pre-boarding flights.
It was shown last year that the Trudeau Liberals secretly scanned millions of faces of travelers without their consent at Toronto Pearson International Airport in 2016.
Last year, Therrien said that vaccine passports should not “be permanent.”