People who downloaded the Tim Hortons app before the survey began in June 2020 tracked and recorded their movements every few minutes every day, even when the app was not turned on.

This violates Canadian laws on the protection of personal information, the Commissioner said in his report released Wednesday morning.

He is a journalist from National PostJames McLeod, who sounded the alarm in 2020, then obtained data showing that the Tim Hortons app on his cell phone tracked his location more than 2,700 times in less than five months.

Geofencing happens even when the app is not turned on on his phone. It is likely that visits to competing restaurants as well as the home and business addresses of the journalist were among the recorded data.

Without proper user permission

Subsequent investigation focused on whether Restaurant Brands International, Tim Hortons ’core company, obtained significant consent from users to collect and use their location data.

The commissioner concluded that, while the app sought permission to access location-based services, it was misleading by letting users know that access to data was only possible when it was open.

” This survey sends a clear message to organizations: you can’t spy on your customers just because it’s part of your marketing strategy. “

Not only is this type of information collection a violation of the law, it is also a complete violation of customer trust.said Michael McEvoy, information and privacy commissioner of British Columbia, who participated in the investigation.

Tim Hortons can indicate where users live

The application also used geolocation data to find out where users lived and worked, whether it was written in the commissioner’s press release.

He developed a event whenever users enter or exit the following locations: Tim Hortons competitors, major sporting venues, residential areas and workplaces.

The company defended itself by saying it only used geolocation data in a limited way with the aim of analyzing user trends.

One risk, even if the data collected is depersonalized

Tim Hortons stopped its ongoing tracking of user geolocation data in 2020, after the investigation began. But the commissioner believes it has not eliminated the risk of surveillance and identification.

Individuals are easily identified by their movements, he explains. In addition to the ability to determine an individual’s place of residence and employment, this information allows inferences about religious beliefs, sexual preferences and political affiliations, among others.

The investigation also found that Tim Hortons ’contract with a U.S. third-party location-based service provider“ contained language so broadly and loosely structured that a third-party could sell location data not specified for its own purposes. “

” Tim Hortons has gone too far in gathering so much very sensitive information about its customers. “

Commissioner Daniel Therrien conducted the investigation along with privacy commissioners of British Columbia, Quebec and Alberta.

Recommendations

The four Privacy Authorities made the following recommendations to Tim Hortons:

• Delete any remaining geolocation data and ask third party service providers to do the same;

• Establish and maintain a privacy management program;

• Report in detail the actions taken by the company to comply with the recommendations.

Tim Hortons agreed to implement these recommendations.