Canadian Privacy Commissioners Find Tim Hortons’ App Violated Privacy Laws

On June 1, 2022, the Office of the Privacy Commissioner of Canada and the provincial privacy commissioners of Alberta, British Columbia and Québec (collectively, the Commissioners) released their findings of a joint two-year investigation into the Tim Hortons mobile ordering application (the App), as previously reported by the E-TIPS® Newsletter here. The Commissioners determined that the App violated applicable federal and provincial privacy laws by collecting location data of its users, without their adequate knowledge or valid consent.

The Commissioners focused their investigation on whether The TDL Group Corp. and its parent company (collectively, Tim Hortons):

1. collected and used granular GPS-based location data through the App for a purpose that a reasonable person would consider appropriate in the circumstances, and was reasonable and to fulfill a legitimate need; and
2. obtained adequate consent from the App users to collect and use their location data.

The Commissioners’ investigation found that for users who provided permission to access their mobile device’s geolocation, the App continuously collected their location data as long as their device was on. Tim Hortons’ third-party service provider collected and processed location data to (i) infer the location of a user’s home, place of work, and whether they were travelling; and (ii) identify when a user visited a competitor of Tim Hortons.

The Commissioners found that, while Tim Hortons’ stated purpose for the collection of the location data was for targeted advertising and to better promote its products, it never used the data for this identified purpose. Instead, Tim Hortons only used aggregated location data in a limited way to analyze user trends.

The Commissioners determined that Tim Hortons’ collection of location data was not for an appropriate purpose that a reasonable person would consider in the circumstances. Moreover, there was no legitimate need to collect vast amounts of sensitive location data where such data was never used for the identified purpose, and the resulting loss to users’ privacy was not proportional to the potential benefits Tim Hortons may have obtained through targeted advertising of its products.

The Commissioners concluded that Tim Hortons did not obtain meaningful or valid consent as it (i) failed to inform users about collection of their location even when the App was closed; (ii) made misleading statements to users about data collection; and (iii) did not ensure users understood the consequences of consenting to the continual collection of their location data. 

As a result of the investigation, the Commissioners recommended, and Tim Hortons agreed to:

1. delete any remaining location data and any data derived from it, and direct third-party service providers to do the same;
2. establish and maintain a privacy management program to ensure compliance with privacy laws for the App and other apps it launches; such program should include privacy impact assessments when contemplating practices that may impact individuals’ privacy, among other things; and
3. report to the Commissioners with the implemented measures it has taken to comply with the recommendations.

The Commissioners emphasized the broader privacy concerns when collecting location data in their report, noting that location data is highly sensitive when tracked over time and can be used to infer an individual’s home, place of work and other personal information. The Commissioners highlighted that, even when de-identified, there is a real risk that de-identified location data could be re-identified, and these risks are important to consider when assessing the proportionality of the loss of individuals’ privacy to the benefits for the organization when collecting location data.

Summary By: Anna Troshchynsky