Tim Hortons logo in front of one of their restaurants in Toronto

What We Can Learn from the Tim Hortons Mobile Privacy Debacle

A positive brand reputation means everything in the digital age. The Tim Hortons coffee chain became a cherished Canadian institution over nearly 60 years in business. However, questionable mobile app privacy practices tarnished the brand and now have the company facing the wrath of regulators and customers.

This month Canadian government agencies jointly announced the conclusion of an investigation into privacy violations of the Tim Hortons mobile app. Investigators concluded the mobile app secretly tracked and stored geolocation data without user consent even when the app wasn’t in use. While Tim Hortons representatives maintain the company collected the data to fuel a targeted marketing campaign and analyze customer trends, Canadian officials said the company went too far because the data can be used to directly identify users and infer personal details.

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians,” said Canadian Privacy Commissioner Daniel Therrien in a statement.

Canadian regulators ordered Tim Hortons to delete the location data and establish a privacy management program. The ruling demonstrates the importance of proper mobile app privacy and security practices to safeguard trust and maintain compliance with regulations such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The infamous British Airways mobile app breach demonstrates how privacy failures damage brand reputation. In 2018, the European Union fined the airline $230 million for violating GDPR after the British Airways mobile app leaked 380,00 credit card payments. The breach also caused the airline’s stock to drop over 30% and severely impacted customer relations.

Under Armour experienced a similar catastrophe when a vulnerability in the MyFitnessPal mobile app allowed threat actors to collect the usernames, password and email addresses of 150 million customers. The incident resulted in a market value drop of 3.8% and led Under Armour to sell the MyFitnessPal brand altogether.

Western Union, Equifax and other financial service companies also damaged user trust after mobile app vulnerabilities breached sensitive personal information. The incident sparked a major investigation by the N.Y Attorney General’s Office resulting in a settlement and forced each company to increase mobile security measures.

Mobile apps as a critical business asset

These privacy incidents demonstrate the importance of mobile app privacy. Only a few years ago mobile apps were viewed as a novelty by retailers. But in 2021 over 200 billion mobile apps were downloaded generating over $167 billion in mobile revenue. For years mobile app traffic exceeds desktop traffic and customers conduct most of their business transactions via mobile. Businesses rely heavily on mobile apps for analytical insights to improve the user experience, engage customers and generate new revenue streams.

Businesses can no longer neglect mobile app security and privacy. Customers demand assurance that mobile apps are built with proper privacy and security protections. It only takes a single privacy or security breach for customers to stop using a mobile app, so business leaders need to recognize the value of safeguarding trust to protect and maintain their customer base.

Safeguard trust with proper mobile app privacy practices

Unethical or improper data collection policies give customers the impression that companies don’t care about their privacy or safety. In order to build and maintain a truly effective and respectable brand, executives need to evaluate their organizations’ mobile app privacy practices. Most customers are aware of the value of their data, and organizations selling it without consent put them in a negative light. Organizations without transparent policies run the risk of losing a loyal customer base, as well as severe penalties from regulators.

But transparent data privacy policies alone don’t suffice. Companies need to protect their customers’ sensitive data from exposure by building privacy by design into their mobile app portfolios and testing against standards prior to release. Automated mobile application security testing tools help organizations find and fix privacy issues in the development process to avoid leaking private data and maintain compliance.

The Tim Hortons incident perfectly demonstrates how even the most respected brands can reverse their image overnight with poor privacy practices. If major brands truly want to build a trusted relationship with customers, they need to implement transparent and ethical data privacy practices for mobile apps. In addition, security and development leaders must ensure their mobile apps safeguard personal data by practicing secure coding techniques and tapping automated mobile application security testing to reduce  risk.


Chief Mobility Officer at NowSecure