Outside view of a Tim Hortons restaurant in Toronto shows the Tim Hortons logo and a maple leaf.
Enlarge / A Tim Hortons in Toronto in May 2022.

Canadian investigators determined that users of the Tim Hortons mobile app had their movements tracked and recorded every few minutes of every day, even when the app wasn't open.

The Tim Hortons app asked for permission to access the mobile device's geolocation functions, but misled many users to think that information would only be accessed when the app was in use. According to an announcement by Canada's Office of the Privacy Commissioner, the app tracked users as long as the device was on. The federal office was involved in the investigation of Tim Hortons.

The Office of the Privacy Commissioner stated that the app used location data to infer where users lived, worked, and traveled. Every time users entered or left a Tim Hortons competitor or a major sports venue, it generated an event.

The Office of the Privacy Commissioner said that Tim Hortons continued to collect vast amounts of location data despite the fact that it had no legitimate need to do so. The federal office said that Tim Hortons used aggregated location data to analyze user trends.

“Inappropriate form of surveillance”

Therrien said, "Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers." It was clearly an inappropriate way to follow people's movements.

In 13 countries, Tim Hortons has more than 5,000 stores. The majority are in Canada, but there are more than 600 in the US.

After the government began investigating, Tim Hortons stopped tracking users. "Tim Hortons' contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell 'de-identified' location data for its own purposes." There is a risk that the data could be re- identified.

Advertisement

Tim Hortons will not be punished for implementing the recommendations. According to the report, Tim Hortons' commitments will bring the company into compliance with Canadian law. The organization is committed to implementing satisfactory corrective actions when they violate Canadian privacy laws.

Tim Hortons agreed to "delete any remaining location data and direct third-party service providers to do the same," according to the announcement. Tim Hortons will give the government details on its compliance.

Reporter uncovered privacy violation

There was a June 2020 Financial Post report titled "Double-double tracking: How Tim Hortons knows where you sleep, work, and vacation." The reporter found that "Tim Hortons had recorded my latitude and longitude more than 2,700 times in less than five months and not just when I was using the app."

In June 2020, Tim Hortons took immediate steps to improve how they communicate with guests and began reviewing their privacy practices. We immediately removed the technology outlined in the report from the app. The data from this technology was never used for personalization. The data was only used to study trends in our business and did not contain personal information from guests.

Another example of an organization not notifying customers about its practices is provided by the investigation. Customers of Tim Hortons didn't have enough information to consent to location tracking.