The Office of the Privacy Commissioner of Canada, along with privacy authorities in British Columbia, Quebec and Alberta, said Wednesday that Tim Hortons updated its app in May 2019 to track users whenever their devices were turned on — despite many consumers' belief that they would only be tracked when they were using the app.
Tim Hortons, working with a U.S.-based third-party service provider called Radar, used the location data to infer where users lived, where they worked, and whether they were traveling, the regulators said in a report. The app also recorded every time a user entered and left a Tim Hortons competitor, a major sports venue, or their home or workplace, said the privacy authorities.
The coffee and pastry chain had planned to collect the data in order to deliver targeted advertising to customers, but ended up scrapping that plan, the regulators' investigation found. The company told the privacy authorities that it only used aggregated location data "in a limited way" to analyze user trends, like whether users switched to other coffee chains and how users' movements changed during the pandemic, the report says.
Tim Hortons' data collection breached Canadian privacy law in part because the company did not have a "legitimate need to collect vast amounts of sensitive location information where it never used that information for its stated purpose," Canadian regulators wrote.
"Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers," said Canadian Privacy Commissioner Daniel Therrien in a statement. "Following people's movements every few minutes of every day was clearly an inappropriate form of surveillance."
Tim Hortons has agreed to adopt a set of recommendations, including deleting any remaining location data it collected through the app and directing third-party providers to do the same, according to the Canadian regulators, who have been investigating the company since June 2020. Tim Hortons has also agreed to conduct "privacy impact assessments" for its app and any future apps that it plans to launch, the authorities said.
Canadian privacy regulators have limited authority to impose penalties themselves but can sue companies in Canadian federal courts, which can impose fines.
In a statement, Tim Hortons, which is owned by Restaurant Brands International Inc., confirmed that it has removed the geolocation technology from its app.
The company added that it has "strengthened our internal team that's dedicated to enhancing best practices when it comes to privacy," and said that it is "continuing to focus on ensuring that guests can make informed decisions about their data."
--Editing by Daniel King.
For a reprint of this article, please contact reprints@law360.com.