Connect with us


Tim Hortons | A mobile app responsible for a “massive breach” of privacy



A Tim Hortons mobile app that ‘deceptively’ tracked consumers’ GPS location several times a day for marketing purposes is responsible for a ‘massive privacy breach’, joint investigation by federal commissioners finds and provincial privacy policies.

This “troubling affair”, which was initially revealed by an investigation by the National Post, dates back to 2019, when the fast food giant updated its smartphone app. Without its 1.6 million users being fully informed, a new feature made it possible to track their movements by GPS.

The feature was intended to send targeted advertisements to consumers, but soon resulted in the collection of “very considerable amounts of sensitive personal information”. The software could, among other things, determine the place of residence and work of users, but also know when they frequented competing businesses, such as Starbucks, Second Cup and McDonald’s.

Investigation finds Tim Hortons misrepresented to users that their location data would be used “only when your app is open.” However, “the vast majority were collected when the application was not open”, affirm after investigation the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec and its counterparts from British Columbia and Alberta.

Although Tim Hortons has never actually used this data for advertising targeting purposes, the application has collected “very considerable amounts of sensitive personal information”, which bear no proportionality to the “potential benefits that Tim Hortons could have hoped for from more targeted promotion for its coffee,” note the commissioners.

TDL Group Corporation, owner of the Tim Hortons banner, pledged to destroy all data collected when the case came to light in June 2020. “We proactively removed geolocation technology shortly thereafter” , the company said in an emailed statement.

A pat on the fingers

Concretely, the company gets off with a slap on the wrist, since Canada’s Privacy Act does not currently provide for any provision for imposing fines. “I do not have the authority to impose penalties,” summed up Commissioner Daniel Therrien, whose mandate ends in the coming days. “This illustrates the urgent need to reform privacy laws,” he added.

In Quebec, the recent modification of 21 laws dealing with the protection of personal information provides for fines of up to 25 million or 4% of the turnover of an offending company. “We will have the powers to impose fines only from September 2023”, however specified the president of the Commission for access to information, Diane Poitras.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *