Shop front of Tim Hortons showing Tim Hortons being investigated for their data collection practices

Canadian Donut Giant Tim Hortons in Hot Oil Over Data Collection Practices

The Tim Hortons breakfast empire is feeling the heat in its native Canada over the data collection practices of its mobile app. The Office of the Privacy Commissioner of Canada (OPC), along with the privacy commissioners of the provinces of Quebec, Alberta and British Columbia is launching an investigation to determine if the company’s mobile app is in violation of federal private sector privacy law.

The investigation centers on whether or not Tim Hortons obtained meaningful consent from app users before engaging in data collection that included personal information stored in user profiles and logging of habits and activities, and if it was collecting geolocation data for purposes of tracking even when it was not open and active.

Tim Horton’s dubious data collection

The investigation will determine whether the Tim Hortons app violated the national Personal Information Protection and Electronic Documents Act (PIPEDA), as well as privacy laws that the three individual provinces have enacted. The federal Privacy Commissioner’s office called it a matter of “great importance to Canadians” due in particular to the collection of geolocation data. The four agencies are coordinating on the investigation and issued a joint statement.

The investigation comes in response to an early June report from the Financial Post that detailed the extent of the Tim Hortons mobile app data collection. Post reporter James McLeod tracked the data collected by the app through his own personal account back to May 2019 and found that the company was frequently receiving updates on his location in the form of specific GPS coordinates, even at times that the app was not open or active. McLeod obtained this information through a PIPEDA request, finding that the company accessed his location information over 2,700 times in five months. It appeared to be particularly active when he was physically near a Tim Hortons competitor, but logged precise entry and exit times for all sorts of locations including a visit to his girlfriend’s house and a flight taken from Toronto’s airport.

In addition to logging location information, the app keeps thorough details about the user’s hardware and network. Among other things it logs the type of device, the operating system, IP address, unique Android Advertising ID and service carrier. It also logs every interaction with the app and the items that customers order through it, creating detailed user profiles that can stretch back as far as 12 months.

The case will hinge on whether or not the Canadian privacy agencies agree that app users did not know what they were signing up for in terms of the scope of the data collection and location tracking. Based on the Financial Post report, it appears that the app triggered GPS location pinging at so many different locations that it was possible to create an extremely detailed log of a person’s daily movements, and that this information was made available even if the user did not have the app open.

Did Tim Hortons violate Canadian privacy law?

PIPEDA requires that consent be obtained at or before the time of data collection. The big question in this case is whether the blanket “consent” that the Tim Hortons app collects at the time of installation is sufficient to cover the scope of location tracking and customer activity logging that it engaged in.

Though it features some robust personal privacy protections, PIPEDA is a bit dated and was not originally written with data privacy matters in mind. The original version of the law, introduced in 2001, applied to a variety of federally regulated industries such as banking and aviation. It was expanded in scope to apply to health care in 2002, and in 2004 became applicable to any business engaging in data collection that includes personal information.

The 2015 Digital Privacy Act (DPA) update added some terms to PIPEDA that are likely to become relevant in this case. The DPA updated the standard of obtaining meaningful consent from a simple initial notification to a “graduated consent” policy that requires the end user to ” … understand the nature, purpose, and consequences of the collection.” The fact that the Financial Post reporter had to request reams of documents and pore through them to understand the scope of how much tracking was going on does not seem like a point in Tim Hortons favor. Also damning is that the app continued with its GPS location data collection when not active; any reasonable person would assume that a loyalty program app that is not currently running would not be feeding continual GPS data back to its developer.

The individual acts in each of the three provinces are considered to be “substantially similar” to the terms of PIPEDA, so presumably the same standards will apply everywhere in the country. In the meantime, Tim Hortons has announced that it is voluntarily scaling back data collection by only having the location reporting active when the user has the app open. This protection appears to apply to United States app users as well; Tim Hortons has over 600 locations sprinkled throughout the northeastern and Great Lakes states near the Canadian border.