Results of a joint investigation launched in June 2020 by the Office of the Privacy Commissioner of Canada (OPC) and Canada’s three provincial private sector privacy authorities in Alberta, British Columbia, and Quebec, directed at the Canadian operator and franchisor of Tim Hortons, The TDL Group and its parent company Restaurant Brands International (RBI), released today, have revealed that the company had violated federal and provincial privacy laws with its app’s location tracking.
The investigation was sparked largely because of a June 2020 news article in the Financial Post in which the author detailed how he discovered that, despite granting the Tim Hortons app permission to access the location functionality of his mobile phone while it was open, in reality, it was tracking his location even when it was closed.
It did so, he said, more than 2,700 times in less than 5 months, to infer his home, place of work, travel status, and when he was visiting a competitor.
The investigation concluded that Tim Hortons’ continual and vast collection of location information was “not proportional to the benefits it may have hoped to gain from better targeted promotion of its coffee and other products”. It also found that even after the company shelved plans to use the data for targeted advertising, it continued to collect it until after the investigation was launched.
“Our investigation also found that Tim Hortons did not implement robust contractual safeguards to limit service providers use and disclosure of customers information,” noted Jill Clayton, Information and Privacy Commissioner of Alberta, during a press briefing. “I recognize that the large number of third party service providers involved in app development is a complicating factor, but this is not an excuse for limiting accountability. Alberta’s law says that you are responsible for what your service providers do on your behalf. And this includes ensuring that there are reasonable security and privacy measures in contracts.”
Even the cessation of the collection did not eliminate the risk of surveillance, the report said, because Tim Hortons’ contract with the American locator services provider was so vague that it would have allowed it to sell the de-identified data for its own purposes. And, the report pointed out, there is a real risk that the de-identified geolocation data could be re-identified. A 2014 paper by the OPC explained how easily this could be done.
“The location tracking ecosystem – where intimate details of our daily lives are treated as a commodity to be exploited to sell us products and services … such as a cup of coffee – heightens the risk of mass surveillance,” said Daniel Therrien, Privacy Commissioner of Canada. “We have seen here an absolute lack of proportion between the continual tracking of customers’ location, their habits and other sensitive information this reveals about them, and a company’s desire to sell more products.”
“The era of anything goes when it comes to companies disproportionately harvesting vast volumes of customer personal information must come to an end,” added Michael McEvoy, Information and Privacy Commissioner for British Columbia. “This investigation of one of Canada’s most iconic companies shines a bright light on the fact that such collections are contrary to law and erode the trust between organization and customer. Tim Hortons did not only not tell customers exactly how their location was data was tracked. Even if it had done so, it is clear that no reasonable person could have concluded this detailed and sensitive collection of data was justified by law. This case is a clear lesson to all organizations to think before collecting.”
As a result of the investigation, TDL has agreed to implement several recommendations around the Tim Horton app.
First, it agreed to delete the location data, and any data derived from it, within one month of report issuance, and to direct its third-party service provider to do likewise – and to take steps to ensure the provider has done so.
Second, it has agreed to establish and maintain a privacy management program around the app, and any other apps it launches in the future, within twelve months of report issuance. It has also agreed to provide quarterly written updates to the privacy offices detailing work completed and its progress toward completion of the privacy management program.
There were no financial penalties assessed, Therrien noted in response to a journalist’s question, because the commissioners do not have the power to do so. Currently, said president of the Commission d’accès à l’information du Québec, Diane Poitras, “we do have the power to institute penal procedures. But the maximum fine that Tim Horton could have been condemned to is $10,000.” As of September 2023, her office will have the power to issue monetary administrative penalties as well.
The report concluded, “Our Offices have come to the finding that Tim Hortons did not meet its obligations under the PIPEDA, Quebec’s Private Sector Law, PIPA-AB, or PIPA-BC with respect to the collection, use or disclosure of Users’ granular location data via the App. We accept, however, that TDL’s commitments, once implemented, will bring the company into compliance with the Acts. We, therefore, find this matter to be well-founded and conditionally resolved.
“Finally, while this investigation, and resulting recommendations, focused on the Tim Hortons App, we recognize that RBI offers several other apps in Canada in relation to its other restaurant brands. While we did not assess these other apps, we would expect that RBI will further leverage the outcome and lessons of this investigation and review its personal data handling practices in the context of those other apps to ensure their compliance with the Acts.”
“As a society, we would not accept it if the government wanted to track our movements every few minutes of every day,” Therrien noted. “It is equally unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought. In my view, what happened here once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians.”