The federal privacy commissioner’s investigation into the Tim Hortons mobile app found that the app unnecessarily collected extensive amounts of data without obtaining adequate consent from users.
the reportwhich was published Tuesday morning, states that Tim Hortons collected granular location data for the purpose of targeted advertising and the promotion of its products, but that the company never used the data for those purposes.
“The consequences associated with the App’s collection of that data, the vast majority of which was collected when the App was not in use, represented a loss of Users’ privacy that was not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted promotion of its coffee and associated products,” read the report.
The joint investigation was launched about two years ago by the Office of the Privacy Commissioner of Canada in conjunction with similar authorities in BC, Quebec and Alberta. It came after reporting from the Financial Post found that the Tim Hortons app tracked users’ geolocation while users were not using the app.
Tim Hortons was using a third-party service provider, Radar, to collect geolocation data from users. In August 2020, Tim Hortons stopped collecting location data.
The report states that Tim Hortons also agreed to delete all granular location data and to have third-party service providers do so as well, as per recommendations from the privacy authorities. It also agreed to establish a privacy management program for its app and all future apps to ensure they are compliant with federal and provincial privacy legislation.
The federal law governing privacy issues is known as the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Given these remedies, the report found that while the Tim Hortons app was not compliant with privacy laws, it has since taken measures to resolve the issues.
More to come