Canadian Donut Giant Tim Hortons in Hot Oil Over Data Collection Practices

The Tim Hortons breakfast empire is feeling the heat in its native Canada over the data collection practices of its mobile app. The Office of the Privacy Commissioner of Canada (OPC), along with the privacy commissioners of the provinces of Quebec, Alberta and British Columbia is launching an investigation to determine if the company’s mobile app is in violation of federal private sector privacy law.

The investigation centers on whether or not Tim Hortons obtained meaningful consent from app users before engaging in data collection that included personal information stored in user profiles and logging of habits and activities, and if it was collecting geolocation data for purposes of tracking even when it was not open and active.

Tim Horton’s dubious data collection

The investigation will determine whether the Tim Hortons app violated the national Personal Information Protection and Electronic Documents Act (PIPEDA), as well as privacy laws that the three individual provinces have enacted. The federal Privacy Commissioner’s office called it a matter of “great importance to Canadians” due in particular to the collection of geolocation data. The four agencies are coordinating on the investigation and issued a joint statement.

The investigation comes in response to an early June report from the Financial Post that detailed the extent of the Tim Hortons mobile app data collection. Post reporter James McLeod tracked the data collected by the app through his own personal account back to May 2019 and found that the company was frequently receiving updates on his location in the form of specific GPS coordinates, even at times that the app was not open or active. McLeod obtained this information through a PIPEDA request, finding that the company accessed his location information over 2,700 times in five months. It appeared to be particularly active when he was physically near a Tim Hortons competitor, but logged precise entry and exit times for all sorts of locations including a visit to his girlfriend’s house and a flight taken from Toronto’s airport.

In addition to logging location information, the app keeps thorough details about the user’s hardware and network. Among other things it logs the type of device, the operating system, IP address, unique Android Advertising ID and service carrier. It also logs every interaction with the app and the items that customers order through it, creating detailed user profiles that can stretch back as far as 12 months.

The case will hinge on whether or not the Canadian privacy agencies agree that app users did not know what they were signing up for in terms of the scope of the data collection and location tracking. Based on the Financial Post report, it appears that the app triggered GPS location pinging at so many different locations that it was possible to create an extremely detailed log of a person’s daily movements, and that this information was made available even if the user did not have the app open.