It was probably a surprise to many who read James McLeod's article in June 2020, that Tim Hortons' app collected detailed location information. Ironically, the journalist learned of the personal information the app collected about him from Tim Horton's response to his access request. Despite only providing the app permission to use the location functionality of his phone while the app was in use, the app had been collecting user location data as frequently as every few minutes of every day, even when the app was not open.

A joint report issued June 1, 2022 by the Office of the Privacy Commissioner of Canada and the private sector privacy authorities of Quebec, Alberta and British Columbia has confirmed that the collection of users' location information by Tim Hortons' app was in violation of various Canadian privacy laws. The regulators also found that Tim Hortons did not adequately protect the personal information and lacked accountability for it.

While many businesses do not track location data, Tim Hortons' experience is an important lesson to those that do collect other information about users through websites, apps and devices. Some key takeaways include:

  1. Before collecting personal information, businesses should assess whether it has an appropriate purpose that is reasonable. This assessment is contextual and can depend on the sensitivity of the information. A business does not always appreciate that the data it collects over time can be quite rich and sensitive.
  2. Do not collect personal information if it is not going to be used. Collecting information for targeted advertising may be legal in many circumstances. Tim Hortons' vast collection of data over time was not proportional to the potential benefits the company hoped to gain from targeted advertising, however, because that never actually occurred.

    The commissioners recommended that Tim Hortons develop a privacy management program that ensures collection is necessary and proportional. Through the investigation, the commissioners did not find there was any assessment of the app before its launch and were concerned about whether Tim Hortons had adequate policies and procedures to ensure compliance.
  3. Consent requires the user be informed of the scope of data collection and its implications. Businesses should understand the tools they implement and explain them to their users. Transparency is the best approach.

    Remember, users cannot provide consent if the purpose for collecting the personal information is not appropriate, reasonable, or compliant with privacy laws. Consent will probably not effectively waive privacy protections afforded to individuals by the law. Since Tim Hortons could not prove a valid purpose for their collection of data, they could not obtain proper consent.
  4. Organizations have an obligation to ensure service providers adequately protect privacy, limit use and disclosure. The commissioners criticized the contractual protections Tim Hortons implemented to protect user personal information while it was being processed and deemed these protections inadequate. While the third-party service provider, Radar, did not use the data for their own purposes, the contractual clauses were found to be vague and permissive.

    Related companies also should have protections in place to ensure the protection of privacy and limitation on use and disclosure when transferred.

Hopefully, Tim Hortons' experience will raise awareness with individuals and businesses alike, so that we can all be more aware and improve privacy practices for the benefit of all Canadians.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.