‘A massive invasion of privacy’ but no sanctions for Tim Hortons

One way to find out how deeply woven Tim Hortons is in the fabric of Canada is a cross-border comparison. If McDonald’s, arguably its closest analogue in the United States, wants to have the same per capita reach in that market as Tim Hortons in Canada, it would have to roughly triple its 13,000-plus population. American outlets.

Despite being in foreign hands since 2014, Tim Hortons still waves the Canadian flag as forcefully as possible. But last week, a damning report from the federal privacy commissioner and three of his provincial counterparts detailed how Tim Hortons flouted a wide variety of laws to spy on Canadians, creating “a massive invasion of Canadians’ privacy.”

“As a society, we wouldn’t accept it if the government wanted to track our movements every few minutes of every day,” federal privacy commissioner Daniel Therrien said at his latest official press conference. “It is equally unacceptable that private companies think so little about our privacy and freedom that they can initiate these activities without giving it a second’s thought.”

The vector for Tim Hortons’ large-scale snooping, according to the report, was the mobile phone app, which was downloaded 10 million times in the three years since its launch in 2017. Initially, the app had typical shopping features related to payment, loyalty points and placing orders.

But the privacy commissioners found that Tim Hortons slipped into a new position in 2019. With the help of Radar, a geolocation software company based in the United States, it has turned the GPS systems in customers’ phones into a business snooping tool. Of course, many apps ask users for permission to access their phone’s GPS while actively using the apps for potentially useful functions, such as locating the nearest outlet of a store, bank, or restaurant.

However, the Tim Hortons app went much further and tracked users around the clock – even when the app was closed. It recorded not only their geographic location, but whether that location was a home, factory, or office and even, in many cases, the name of the building they were in. It even registered, according to the report, whether they were in rival coffee shops. The continuous tracking occurred despite users being told they would only be tracked while using the app.

Originally, the report found, Tim Hortons’ intent was for the system to track individuals to send them specific promotions, such as coupons for a Tim Hortons booth if they were in an arena for a hockey game, for example. It dropped that plan to monitor individuals, but did use the data, in aggregate form, to look for patterns and changes in where and when Canadians picked up their double-doubles.

The report goes on to address a wide range of other flaws, such as inadequate protection of the data the app was collecting, and fraud in privacy statements.

The tracking system was only shut down in June 2020 after the joint privacy investigation started. The reason for this was an article in The National Post by James McLeod, who found that the app was constantly documenting his whereabouts, even when he was on vacation abroad.

When the report was released, Mr. Therrien and the other privacy commissioners made it clear that Tim Hortons had violated Canadians’ privacy to an extraordinary extent.

“Geolocation data is incredibly sensitive because it paints such a detailed and revealing picture of our lives,” he said, adding that “the risks associated with the collection and use of location information remain high even when it is ‘anonymized’.” is, as it is, can often be re-identified relatively easily.”

While there are some class actions against Tim Hortons, the company has not been fined or sanctioned under federal or state privacy laws.

The app will continue to be available for download on both iPhones and Android phones. (I asked Apple and Google if the tracking software violated their app store policies or if they had taken action against Tim Hortons. Neither company contacted me.)

In an email, Tim Hortons said it will begin its own privacy review in 2020 and implement all of the recommendations in the privacy commission’s report.

“We’ve strengthened our in-house team dedicated to improving privacy best practices and remain focused on ensuring that guests can make informed decisions about their data when using our app,” the company said.

Mr Therrien and outside experts have long argued that Canada’s privacy laws, or the system for enforcing them, should be overhauled. It took a journalist to find out what Tim Hortons was up to, the official investigation dragged on for nearly two years and, in the end, there were no sanctions. Only Quebec’s privacy office currently has the authority to impose fines, but the maximum fine it could have imposed on Tim Hortons, whose parent company had sales of $2 billion in 2020, is Canadian dollars 10,000.

“The laws have no teeth,” Jill Clayton, the information and privacy commissioner for Alberta, told the news conference.

Mr Therrien said the Tim Hortons case is not an isolated example – it is just the one that has come to light.

“Obviously, what happened in Tim Hortons is happening elsewhere in the information-gathering ecosystem,” he said. “Are there sufficient guarantees? Obviously not.”


Born in Windsor, Ontario, Ian Austen was educated in Toronto, lives in Ottawa and has reported on Canada for The New York Times for the past 16 years. Follow him on Twitter at @ianrausten.


How are we doing?
We’d love to hear your thoughts on this newsletter and events in Canada in general. Send them to nytcanada@nytimes.com.

Do you like this email?
Forward it to your friends and let them know they can sign up here.

Leave a Comment