Canadian researchers determined this that users of the Tim Hortons coffee app’s mobile app “tracked and recorded their movements every few minutes each day,” even when the app wasn’t open, in violation of the country privacy laws.
“The Tim Hortons app requested permission to access the geolocation features of the mobile device, but deceived many users into believing that the information would only be accessed when the app was in use. In fact, the app tracked users while the device was on, continuously collecting their location data, “according to an announcement from the Office of the Privacy Commissioner of Canada. The federal office collaborated with provincial authorities in Quebec, British Columbia and Alberta in Tim Hortons’ investigation.
“The app also used location data to infer where users lived, where they worked, and if they traveled,” the Privacy Commissioner’s Office said. “It generated an ‘event’ every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.”
Tim Hortons ruled out plans to use the application for targeted advertising, but “continued to collect large amounts of location data” for another year “even though he had no legitimate need to do so.” say the Office of the Privacy Commissioner. Tim Hortons said he used aggregated location data “to analyze user trends, for example, whether users switched to other coffee chains and how users’ movements changed as the pandemic consolidated.” , said the federal office.
“Improper form of surveillance”
“Tim Hortons has clearly crossed the line by accumulating a lot of very sensitive information about his customers,” said Canadian Privacy Commissioner Daniel Therrien. “Tracking people’s movements every few minutes every day was clearly an inappropriate form of surveillance.”
Tim Hortons has more than 5,100 stores in 13 countries. Most are in Canada, but there are more than 600 in the US, most in New York, Michigan and Ohio.
Tim Hortons stopped continuous monitoring of user locations in 2020 after the government began investigating. But that “did not eliminate the risk of surveillance” because “Tim Hortons’ contract with a U.S. third-party location service provider contained such vague and permissive language that it would have allowed the company to sell location data.” unidentified “for their own purposes,” the Office of the Privacy Commissioner said. As the office noted, “there is a real risk that unidentified geolocation data may be re-identified.”
Tim Hortons agreed to implement the agencies’ recommendations, but apparently will not face any punishment. The investigation report said Tim Hortons’ commitments “will make the company comply” with Canadian law and that “therefore we consider this matter to be well-founded and conditionally resolved”. This is the language used when an organization violates Canadian privacy laws but has “committed to implementing satisfactory corrective actions.”
The ad said Tim Hortons agreed to “delete the remaining location data and direct third-party service providers to do the same,” to implement a privacy program that “includes privacy impact assessments for and any other launcher, “implement” a process to ensure that the collection of information is necessary and proportionate to the identified privacy impacts “and” ensure that privacy communications are consistent and adequately explain the practices related to applications “. Tim Hortons also agreed to report to the government with details of compliance.
The reporter discovered a violation of privacy
The investigation began after a June 2020 Financial Post report entitled “Double-Double Tracking: How Tim Hortons Knows Where You Sleep, Work, and Vacation.” Journalist James McLeod found that “Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app,” although the app “told customers tracking location “only when you have the app open”.
The statement from Tim Hortons said: “In June 2020, we took immediate steps to improve the way we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts. then we proactively removed the geolocation technology described in the Tims application report.The data from this geolocation technology was never used for personalized marketing for individual guests. this data was made in an aggregated and unidentified manner to study the trends of our business, and the results were not containing personal information of any guest “.
Alberta Information and Privacy Commissioner Jill Clayton said the investigation provides “another example where an organization has not effectively notified clients of its practices. Tim Hortons’ clients did not have the information.” appropriate to consent to the tracking of the location that was actually occurring “.
This story originally appeared in Ars Technique.