Fast-food chain Tim Hortons’ mobile application tracked and recorded users’ movements every few minutes of every day, everywhere they went, even when the app was not in use. This according to a joint investigation by federal and provincial Canadian privacy authorities, which they said points to the need for privacy reform in the country.
The Office of the Privacy Commissioner of Canada, Commission d'accès à l'information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information and Privacy Commissioner of Alberta released findings of the investigation, launched in July 2020, stating the Tim Hortons app misled users in believing access to their mobile device’s geolocation functions would only be used when the app was in use, while instead, users were continuously tracked when their device was on.
While Tim Hortons has agreed to comply with several recommendations from authorities, there is no monetary fine attached to the investigation, a limitation of their authority, said the regulators, who each advocated for privacy reform with stronger penalties.
In comments to the Cable Public Affairs Channel following the results of the investigation, Minister of Innovation, Science and Industry François-Philippe Champagne said he will bring forward a new privacy law in the Digital Charter “in a couple of days.” Champagne said the proposal builds on Bill C-11, which stalled in 2021, to create a framework “that is going to be the answer to what you are seeing now.”
“The key point is about trust and trust starts with privacy,” he said. “So we need to do everything that we can.”
Prime Minister Justin Trudeau also addressed the Tim Hortons investigation with CPAC, saying, “We’re always looking at how to improve the privacy of Canadians. That’s an issue that we’ll take a look at.”
During a press conference on the investigation, Privacy Commissioner Daniel Therrien said it "makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians."
“We have seen here an absolute lack of proportion between the continual tracking of customers’ location, their habits and other sensitive information this reveals about them, and a company’s desire to sell more products. As a society we would not accept it if the government wanted to track our movements every minute of every day. It is equally unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought,” he said.
“In my view, what happened here once again makes plain the urgent need for stronger privacy laws to protect the rights and values of Canadians.” — Privacy Commissioner Daniel Therrien
The authorities say the app used location data to determine where users lived, worked and whether they were traveling, and generated an “event” when consumers visited a competitor or other certain locations. The investigation also found that while Tim Hortons stopped location tracking after the investigation began, language in a contract with a U.S.-based third-party location services provider could have allowed the company to sell “deidentified” location data for its own purposes.
The regulators determined the company did not meet obligations under Canada’s Personal Information Protection and Electronic Documents Act, Quebec’s Private Sector Law, Alberta’s Personal Information Protection Act, and British Columbia’s Personal Information Protection Act “with respect to the collection, use or disclosure of users’ granular location data via the app.”
Known as Canada’s largest fast-food restaurant chain, Tim Hortons is owned by Restaurant Brands International alongside Burger King, Popeyes and Firehouse Subs. From its 2017 launch to July 2020, the Tim Hortons app was downloaded almost 10 million times — with 8.6 million Canadian downloads and over 1 million internationally — and has more than 1.6 million active users.
Tim Hortons agreed that it and any third-party service providers will delete any remaining location data, establish and maintain a privacy management program including privacy impact assessments, and report details of measures taken to meet the recommendations.
But a case such as this, Therrien said, in which “very sensitive information that can reveal many things about people” was collected, should also result in penalties.
“There needs to be an incentive for companies, when they collect information or when they start programs like this, to think things through and if, as we saw here, they do not think things through before they start these programs and that personal information is seen as just a commodity and not something that could lead to important privacy risks, there should be a financial penalty,” he said.
Therrien does not have the authority to impose penalties and fine making power does not exist in Alberta or British Columbia. While Quebec has provincial authority to issue fines, Commission d'accès à l'information du Québec President Diane Poitras said the maximum fine Tim Hortons could have received was $10,000.
Therrien, whose eight-year term ends June 3, said it’s “unfortunate” that calls for legislative reform over those years have not yet come to fruition.
“It is extremely unfortunate that Canada is taking so long to modernize its privacy laws,” he said, adding it’s also “unfortunate” the proposed Consumer Privacy Protection Act under Bill C-11 “did not recognize in my view something which is pretty simple, which is that there can be no innovation and economic growth without trust by consumers in the products they are being offered and these products increasingly rely on personal data.
“There is no innovation without trust and no trust without the protection of rights. It’s a pretty simple equation. I would have thought by now it would have been understood and led to laws that respect this simple equation.”
It’s “frustrating,” Alberta’s Information and Privacy Commissioner Jill Clayton said, for commissioners to see the outcome of an investigation like the one into the Tim Hortons’ app “and that the laws have no teeth.”
“We have all been advocating for law reform and more effective penalties that would bring Canadian privacy laws up to the standard that we’re seeing in international jurisdictions,” she said.
The Tim Hortons investigation began in large part due to a June 2020 National Post news article detailing the author’s discovery that the app tracked his location more than 2,700 times in less than 5 months, through areas in Canada as well as on vacation in Europe and Northern Africa, and not just when the app was in use.
Therrien said news articles have often pointed to regulators “that there might be a fire out there,” but he doesn’t “think that’s right.”
“We need to have the authority, as many other jurisdictions including some of my provincial colleagues and other countries like the U.K., to start investigations not to see whether there is indeed a fire, but preventively to ensure compliance with the law,” he said, adding the recommendation has been made to federal parliamentarians. “This is how consumers ultimately will have confidence that when they engage in this digital economy, they can do so with trust because there will be regulators with the right tools, including this authority, to investigate proactively, to verify compliance.”
Photo by Ashley Ross on Unsplash