People who downloaded the Tim Hortons app before the survey began in June 2020 had their movements tracked and recorded every few minutes every day, even when the app was not on. not open.
This violates Canadian laws on the protection of personal information, said the commissioner in his report released Wednesday morning.
He is a journalist from National PostJames McLeod, who sounded the alarm in 2020, after obtaining data showing that the Tim Hortons app on his cell phone had tracked his location more than 2,700 times in less than five months.
Geofencing was happening even when the app wasn’t open on his phone. Likely visits to competing restaurants as well as the journalist’s home and business addresses were among the data recorded.
Without valid user consent
The ensuing investigation focused on whether Restaurant Brands International, the parent company of Tim Hortons, obtained meaningful consent from users to collect and use their location data.
The commissioner concluded that, while the app did ask for permission to access location-based services, it was misleading by letting users believe that access to data was only possible when it was open.
” This survey sends a clear message to organizations: you can’t spy on your customers just because it’s part of your marketing strategy. »
Not only is this kind of information collection a violation of the law, but it is also a complete breach of customer trust.said Michael McEvoy, information and privacy commissioner of British Columbia, who participated in the investigation.
Identify customers’ homes
The application also drew geolocation data to deduce where users lived and worked, is it written in the press release from the Privacy Commissioner.
She generated a
event whenever users entered or exited the following locations: Tim Hortons competitors, major sporting venues, place of residence and place of work.
The company defended itself by saying that it only used geolocation data in a limited way with the objective of analyzing user trends.
Tim Hortons ceased its ongoing tracking of user geolocation data in 2020, after the investigation began.
But the commissioner believes that this has not eliminated the risk of surveillance and identification. It’s actually easy to identify individuals by their movements, he explains.
In addition to being able to determine an individual’s place of residence and work, this information allows inferences to be made about religious beliefs, sexual preferences, and political affiliations, among other things.
The investigation also found that Tim Hortons’ contract with a U.S. third-party location-based service provider “contained language so broad and loosely framed that the third-party could have sold the de-identified location data for its own purposes. “.
” Tim Hortons has gone way too far in amassing a huge amount of very sensitive information about its customers. »
Commissioner Daniel Therrien conducted the investigation jointly with the privacy commissioners of British Columbia, Quebec and Alberta.
The four privacy authorities have made the following recommendations to the company:
Delete any remaining geolocation data and require third party service providers to do the same;
Establish and maintain a privacy management program;
Report in detail on the actions taken by the company to comply with the recommendations.
Tim Hortons has agreed to implement these recommendations.