Canadian investigators have identified that users of the Tim Hortons mobile app “tracked and recorded their movements every few minutes of every day” even when the app was not open, in violation of the country’s privacy laws.
“Tim Horton’s app asked for permission to access the mobile device’s geolocation features, but misled many users into believing that the information would only be available when the app was in use. In fact, the application tracked users while the device was on, constantly collecting data about their location, ”the message says. announcement Wednesday Office of the Privacy Commissioner of Canada. The federal agency cooperated with the provincial governments of Quebec, British Columbia and Alberta in investigating Tim Hortons.
“The app also used location data to determine where users live, where they work, and whether they traveled,” the Office of the Privacy Commissioner said in a statement. “It generated an ‘event’ every time users entered or exited Tim Horton’s competitor, a major sports venue, at home or at work.”
Tim Hortons dropped plans to use the app for targeted ads but “continued to collect massive amounts of location data” for another year, “although there was no legitimate need to do so,” the Office of the Privacy Commissioner said. Tim Hortons said he used aggregated location data “to analyze user trends, such as whether users have switched to other coffee chains and how user movements have changed as the pandemic spread,” the federal agency said in a statement.
“Tim Hortons has clearly crossed the line by collecting a huge amount of highly sensitive information about its customers,” said Canadian Privacy Commissioner Daniel Therrien. “Tracking people’s movements every few minutes every day was clearly an inappropriate form of surveillance.”
Tim Hortons stopped constantly tracking users’ locations in 2020 after the government launched an investigation. But that “didn’t eliminate the risk of surveillance” because “Tim Hortons’ contract with a third-party US location provider was so vague and permissive that it would have allowed the company to sell ‘depersonalized’ location data to its customers. own purposes,” the Office of the Privacy Commissioner said. As noted in the office, “there is a real risk that de-identified geolocation data can be re-identified.”
Tim Hortons agreed to follow the agency’s recommendations, but apparently will not face any punishment. investigation report said Tim Hortons’ commitment would “bring the company into line” with Canadian law and that “we therefore consider the matter to be a valid and conditional decision.” it language used when an organization violates Canadian privacy laws but has “committed to taking satisfactory corrective action.”
The announcement stated that Tim Hortons had agreed to “remove all remaining location data and instruct third party service providers to do the same,” implement a privacy program that “includes a privacy impact assessment of the app and any other apps it runs,” implement ” a process to ensure that the collection of information is necessary and proportionate to the identified impacts on privacy”, and to ensure that “privacy communications are consistent with and adequately explain application-related practices”. Tim Hortons also agreed to give the government details of its compliance.
The investigation began after the publication of the Financial Post in June 2020. report titled “Dual Tracking: How Tim Hortons Knows Where You Sleep, Work, and Play.” Reporter James McLeod found that “Tim Hortons recorded my longitude and latitude coordinates over 2,700 times in less than five months, and not just when I was using the app”, even though the app “told customers that it was tracking location” only when you have an application open.
Tim Hortons said in a statement: “In June 2020, we took immediate steps to improve how we inform guests about the data they share with us and began to review our privacy practices with outside experts. Shortly thereafter, we actively removed the geolocation technology described in the report from the Tims app. The data from this geolocation technology has never been used for personalized marketing to individual guests. A very limited use of this data has been on an aggregated, de-identified basis to study trends in our business, and the results do not contain personally identifiable information from any guests.”
Alberta Information and Privacy Commissioner Jill Clayton said the investigation is “another example of how the organization failed to properly notify clients of its practices. Tim Hortons’ customers didn’t have enough information to consent to real location tracking.”
This story originally appeared on Ars Technique.
Credit: www.wired.com /