Tim Horton’s was recently under investigation by the The Office of the Privacy Commissioner of Canada because of accusations that they were tracking you without your permission. The results of that investigation are now out and….
People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws, a joint investigation by federal and provincial privacy authorities has found.
The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.
The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta issued their Report of Findings today.
The Tim Hortons app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data.
The app also used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.
The investigation uncovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.
The company says it only used aggregated location data in a limited way, to analyze user trends – for example, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.
While Tim Hortons stopped continually tracking users’ location in 2020, after the investigation was launched, that decision did not eliminate the risk of surveillance. The investigation found that Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell “de-identified” location data for its own purposes.
There is a real risk that de-identified geolocation data could be re-identified. A research report by the Office of the Privacy Commissioner of Canada underscored how easily people can be identified by their movements.
None of this sounds good and doesn’t leave Tim Horton’s looking good. I suspect that because of that, Tim Horton’s agreed to these items:
- Delete any remaining location data and direct third-party service providers to do the same;
- Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
- Report back with the details of measures it has taken to comply with the recommendations.
This report makes it clear that you can’t trust Tim Horton’s and their apps. And even after the above items are implemented, I still wouldn’t trust them. So what does Tim Horton’s have to say about this? Not much really:
“Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business — and the results did not contain personal information from any guests,” spokesperson Michael Oliveira said in an email.
“We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app.”
Sure they are. I am not buying what they are saying.
It is worth noting that Tim Horton’s is still facing four class-action lawsuits in B.C., Ontario, and Quebec? So their issues are not over by a long shot.
Like this:
Like Loading...
Related
This entry was posted on June 1, 2022 at 2:38 pm and is filed under Commentary with tags Privacy, Tim Horton's. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The Office Of The Privacy Commissioner Of Canada Says Tim Horton’s Was Tracking You Illegally
Tim Horton’s was recently under investigation by the The Office of the Privacy Commissioner of Canada because of accusations that they were tracking you without your permission. The results of that investigation are now out and….
People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws, a joint investigation by federal and provincial privacy authorities has found.
The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.
The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta issued their Report of Findings today.
The Tim Hortons app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data.
The app also used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.
The investigation uncovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.
The company says it only used aggregated location data in a limited way, to analyze user trends – for example, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.
While Tim Hortons stopped continually tracking users’ location in 2020, after the investigation was launched, that decision did not eliminate the risk of surveillance. The investigation found that Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell “de-identified” location data for its own purposes.
There is a real risk that de-identified geolocation data could be re-identified. A research report by the Office of the Privacy Commissioner of Canada underscored how easily people can be identified by their movements.
None of this sounds good and doesn’t leave Tim Horton’s looking good. I suspect that because of that, Tim Horton’s agreed to these items:
This report makes it clear that you can’t trust Tim Horton’s and their apps. And even after the above items are implemented, I still wouldn’t trust them. So what does Tim Horton’s have to say about this? Not much really:
“Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business — and the results did not contain personal information from any guests,” spokesperson Michael Oliveira said in an email.
“We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app.”
Sure they are. I am not buying what they are saying.
It is worth noting that Tim Horton’s is still facing four class-action lawsuits in B.C., Ontario, and Quebec? So their issues are not over by a long shot.
Share this:
Like this:
Related
This entry was posted on June 1, 2022 at 2:38 pm and is filed under Commentary with tags Privacy, Tim Horton's. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.