Tim Hortons app tracked too much personal information without proper consent, investigation finds
The Federal Privacy Commissioner’s investigation into the Tim Hortons mobile app found that the app was unnecessarily collecting large amounts of data without obtaining adequate consent from users.
The reportwhich was released Wednesday morning, says Tim Hortons has collected granular location data for the purpose of targeted advertising and promotion of its products, but the company has never used the data for these purposes.
“The consequences associated with the app collecting this data, the vast majority of which was collected when the app was not in use, represented a loss of user privacy that was out of proportion to the potential benefits that Tim Hortons could have hoped for better targeted promotion of its coffee and related products,” the report read.
The joint investigation was launched about two years ago by the Office of the Privacy Commissioner of Canada in conjunction with similar authorities in British Columbia, Quebec and Alberta. It came after reports from the Financial Post revealed that the Tim Hortons app was tracking users’ geolocations while users weren’t using the app.
Geolocation data collected by third parties
Tim Hortons used a third-party service provider, Radar, to collect geolocation data from users. In August 2020, Tim Hortons stopped collecting location data.
However, the investigation revealed that there was a lack of contractual protections for users’ personal information when processed by Radar. The report describes the language of the contract terms as “vague and permissive”, which could have allowed Radar to use collected personal information in aggregated or anonymized form for its own business.
“While we accept that Radar did not engage in any use or disclosure for its own purposes, the contractual language in this instance would not appear to provide adequate protection by Tim Hortons of users’ personal information,” says The report.
The report says Tim Hortons has also agreed to remove all granular location data and have third-party service providers do so as well, as recommended by privacy authorities. The company has also agreed to establish a privacy management program for its app and all future apps to ensure they comply with federal and state privacy laws.
The federal law governing privacy matters is known as the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Given these remedies, the report found that while the Tim Hortons app did not comply with privacy laws, it has since taken steps to address the issues.
“We have strengthened our internal team dedicated to improving privacy best practices and we continue to focus on ensuring customers can make informed decisions about their data when using our app,” reads -on in a statement from Tim Hortons on Wednesday. .