Skip to main content

Tim Hortons Canada Slapped on Wrist for Widespread Privacy Violations

Tim Hortons Toronto

Canadian coffee giant Tim Hortons has been reprimanded by Canadian authorities after a lengthy investigation into what federal privacy officials described as “continual and vast collection” of sensitive user location data through the company’s app.

Along with provincial authorities, the Office of the Privacy Commissioner of Canada released the results of the investigation into Tim Hortons Canada operator and franchisor TDL Group Corp. yesterday.

It found that the granular location data of app users may have been tracked every few minutes, every day and everywhere, between approximately May 2020 and August 2020.

Despite these findings, no financial penalties have been imposed.

The investigation was spurred by a June 2020 Financial Post story by journalist James McLeod, who reported that the app had tracked his location more than 2,700 times in less than 5 months, even when the app was closed and permissions were set to off.

Related Reading

The app involved a third-party partnership with the United States-based location data company Radar. According to the investigation, Tim Hortons shifted away from using Radar location data for marketing or analytics purposes in July 2019, although the company continued, through Radar, to collect the data.

“In our view, large volumes of granular location data like that collected by the App can be highly sensitive personal information,” the investigation finding states. “Similar to how Radar, on behalf of Tim Hortons, inferred an individual’s home or place of work using data collected by the App, a company could use information about an individual’s daily movements to develop sensitive insights about that individual. For example, trips to a medical clinic can be indicative of specific medical treatments or illness, while other locations can lead to deductions about an individual’s religious beliefs, sexual preferences, social and political affiliations and more. While the evidence indicates that Tim Hortons did not use Radar Location Data to develop such sensitive insights, the real potential for the information to be used in this way renders it sensitive.”

Tim Hortons has maintained, and the investigation has confirmed, that the data in question was used only on a limited basis, and the company subsequently proactively removed the problematic geo-tracking capabilities from the former app version.

Tim Hortons cup

“Tim Hortons’ actual use of the data was very limited, as the company decided to refocus on other commercial priorities shortly after updating the App and the company used the data on an aggregated, de-identified basis to conduct limited analytics related to User trends,” the report stated.

In a statement yesterday, British Columbia’s information and privacy commissioner Michael McEvoy described the investigation as sending a “strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy.”

However, the investigation involves no financial penalties or criminal charges. The privacy office officially considers the case to be “well-founded and conditionally resolved.”

Does your coffee business have news to share? Let DCN’s editors know here