Blog

Earlier this month, Canada’s privacy commissioner found that a mobile app for Tim Hortons, Canada’s beloved coffee chain, illegally collected ‘vast amounts’ of sensitive location data, violating privacy laws. The app, which used location-tracking technology from a US third-party service provider Radar, asked for permission to access the mobile device’s geolocation functions. However, the app “misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data,” according to Canada’s Office of the Privacy Commissioner. “The app also used location data to infer where users lived, where they worked, and whether they were traveling,” the Office of the Privacy Commissioner said. “It generated an ‘event’ every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.”

In their joint investigation report, the federal and provincial privacy commissioners found that Tim Hortons did not obtain valid consent required for the collection and use of the data, that it did not have adequate contractual safeguards in place with the third-party service provider and that Tim Hortons lacked a robust privacy management program. The ruling demonstrates the importance of proper privacy and security practices by businesses.
The media attention on this investigation seems to have also spurred the Canadian government to speed up the (re-)introduction of a new federal privacy law. Bill C-27, the Digital Charter Implementation Act, 2022, is expected to be presented by Innovation Minister Francois-Philippe Champagne today.