The Federal Privacy Commissioner’s investigation into the Tim Hortons mobile app found that the app was unnecessarily collecting large amounts of data without obtaining adequate consent from users.
The commissioner’s reportwhich was released Wednesday morning, says Tim Hortons has collected granular location data for the purpose of targeted advertising and promotion of its products, but the company has never used the data for these purposes.
“The consequences associated with the app collecting this data, the vast majority of which was collected when the app was not in use, represented a loss of user privacy that was out of proportion to the potential benefits that Tim Hortons could have hoped for better targeted promotion of its coffee and related products,” the report read.
The joint investigation was launched about two years ago by the Office of the Privacy Commissioner of Canada in conjunction with similar authorities in British Columbia, Quebec and Alberta. It came after the Financial Post report found the Tim Hortons app was tracking users’ geolocations while users weren’t using the app.
According to an investor presentation shared in May, the restaurant chain’s app has four million active users.
Geolocation data collected by third parties
Tim Hortons used a third-party service provider, Radar, to collect geolocation data from users. In August 2020, Tim Hortons stopped collecting location data.
However, the investigation revealed that there was a lack of contractual protections for users’ personal information when processed by Radar. The report describes the language of the contract terms as “vague and permissive”, which could have allowed Radar to use the personal information collected in an aggregated or anonymized form for its own business.
“While we accept that Radar did not engage in any use or disclosure for its own purposes, the contractual language in this instance would not appear to provide adequate protection by Tim Hortons of users’ personal information,” says The report.
The report says Tim Hortons has also agreed to remove all granular location data and have third-party service providers do so as well, as recommended by privacy authorities. The company has also agreed to establish a privacy management program for its app and all future apps to ensure they comply with federal and state privacy laws.
The federal law governing privacy matters is known as the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Given these remedies, the report found that while the Tim Hortons app did not comply with privacy laws, the company has since taken steps to resolve the issues.
“We have strengthened our internal team dedicated to improving privacy best practices and we continue to focus on ensuring that customers can make informed decisions about their data when using our app,” said said Tim Hortons released the said on Wednesday.
“Increases the risk of mass surveillance”
The privacy commissioners responsible for the joint investigation held a conference call with reporters on Wednesday, during which they strongly condemned the privacy violations highlighted in the report.
“The geolocation ecosystem, where the details of our daily lives are treated as a commodity to be exploited to sell us products and services like a cup of coffee, increases the risk of mass surveillance,” said Daniel Therrien, Commissioner Canada’s Privacy Shield.
David Fraser, a privacy lawyer with the McInnes Cooper law firm in Halifax, said the findings of the investigation are a lesson not just for Tim Hortons, but for any entity building an app. which collects location data.
“Location information is generally recognized as some of the most sensitive information that can be collected because of the kind of inferences you can draw about people’s lifestyle, … where they will tell you where they live, where they work, where they go,” Fraser said.
Call for tougher privacy legislation
Therrien said it’s possible other apps are in similar violation of privacy laws.
However, the current investigation framework is based on filing complaints with the commissioner’s office. In this case, media reports sparked an investigation.
“We need to have the power to open an investigation not to see if there is a fire, but preemptively to ensure compliance with the law,” Therrien said, adding that preemptive action would build the confidence of the public. consumers.
The Federal Commissioner does not have the power to impose fines on entities found to have violated PIPEDA. However, the Commission d’accès à l’information du Québec will soon be able to issue administrative monetary penalties, fines, enforcement orders and more. These new powers will come into force in September 2023.
Michael McEvoy, British Columbia’s Information and Privacy Commissioner, said more powers need to be given to the offices of privacy commissioners.
“It puts the spotlight on our elected assemblies and jurisdictions to act,” he said.
Karen Eltis, a law professor at the University of Ottawa and a faculty member of the university’s Center for Law, Technology and Society, said there is a general consensus among privacy experts. Privacy that Canada’s privacy laws and frameworks need to be “refreshed”. Privacy expectations are changing, she said, including the ban on consent when it comes to data collection.
“When we were talking about consent five years ago, 10 years ago we really meant ticking a box, which I’ve been criticizing for a long time. Now we’re looking at meaningful consent,” Eltis said.
Vass Bednar, executive director of the Masters in Public Policy program at McMaster University in Hamilton, said the survey highlights the need for more comprehensive laws that allow institutions to take quick action, including in the form of financial penalties.
“That investigation lasted two years. A lot has happened in the digital economy in two years. I’ve downloaded a bunch of other apps since then,” she said.
Bednar said the interests of the public must be given higher priority when weighing the costs and benefits of data collection by companies.
“Some of the things they could learn about their clients are, I think, legitimately interesting,” she said. “But in terms of real value to ordinary people and value to our wider economy, it’s just not there.”
The company is facing several class action lawsuits
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class action lawsuits related to its mobile app.
The lawsuits were launched after the Financial Post report on the collection of geolocation data.
Fraser said that while the findings of the commissioners’ investigation will be relevant to the prosecution, a different standard would be applied in court, including whether the invasion of privacy would be “highly offensive to a reasonable person”.
“The court has to make its own determination of the facts. The court can’t delegate to say, ‘Well, here’s what the privacy commissioner found, and so we’re going to believe it,'” a- he declared.