The mobile app from coffee shop Tim Horton’s has been collecting vast amounts of users private data without consent. The Canadian federal privacy commission investigation began two years ago after the Financial Post reported on Tim’s contract with Radar Labs Inc. Radar Labs is a third-party U.S. firm that provided enhanced location tracking services for the app.
What Private Data Did Tim Horton’s Collect?
Between May 2019 and August 2020 the Tim Horton’s app, which has four million users, collected users’ geolocation without their knowledge. The app collected personal data from users even when the apps was not being used. People who downloaded the Tim Horton’s app had their movements tracked and recorded every few minutes of every day, even when their app was not open.
Radar was able to use the information it collected in the app to identify personal location data. The app could identify a user’s home, place of work and when they visited a competitor of Tim Horton’s. Reports are the app noted when users entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway. The Tim Horton’s app was even able to figure out if users had been traveling. The app generated an “event” every time users entered or left a Tim Horton’s competitor, a major sports venue, or their home or workplace. Canadian Privacy Commissioner Daniel Therrien said in a statement
Tim Horton’s clearly crossed the line by amassing a huge amount of highly sensitive information about its customers
What Happened to Tim’s?
According to the report, Tim Horton’s collected granular location data for the purpose of targeted advertising and product promotions. Even though Tim’s never used the information for those purposes. The investigation also found that there were inadequate contractual protections for users’ personal data. Commissioner Therrien commented,
The location tracking ecosystem, where details of our daily lives are treated as a commodity to be exploited to sell us products and services such as a cup of coffee, heightens the risk of mass surveillance
Based on its findings, the OPC ordered Tim Horton’s to delete the granular data it collected, and any further data derived from it and to order all third-party providers to do the same. Tim Horton’s has since complied. Additionally, the company agreed to create a privacy management program for the app and all future apps to prevent another privacy violation. The Office of the Privacy Commissioner noted, there “is a real risk that de-identified geolocation data could be re-identified.“
Tim Horton’s has more than 5,100 stores in 13 countries. Most are in Canada, but there are more than 600 in the US, mostly in New York, Michigan, and Ohio.
rb-
Tim Horton’s was caught collecting illegitimate data via its app. It is a safe bet that many more apps are doing much the same with dubious consent. It is essential to always read through a user agreement before consenting. Both Apple and Android offer options on their phones to restrict how their apps track them. A step in the right direction.
Related article
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
