Tim Horton’s Illegal Tracking Practices, New Allegations

Tim Horton’s Illegal Tracking Practices, New Allegations

In May of 2022, Canadian fast food restaurant Tim Horton’s become the latest major corporation to be accused of violating the personal privacy and data protection rights of the numerous customers that use their mobile application. More specifically, The Office of the Privacy Commissioner of Canada has stated that “People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws, a joint investigation by federal and provincial privacy authorities has found. The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better-targeted promotion of its coffee and other products.”

Mobile application permissions

For context, studies have shown that more than 1 in 10 Canadian citizens had used Tim Horton’s mobile application since 2020, which amounts to as many as 4.3 million users a month, signifying the reach and impact that the fast food chain has had among the general populace within the country. With all this being said, the manner in which large-scale businesses have managed the location settings within their mobile applications has come under great scrutiny around the world in recent years. Theoretically speaking, a consumer that has downloaded a mobile application on their iPhone or Android device should have the ability to toggle between having their location settings turned on and off at their sole discretion.

In practice, however, many lawsuits that have been filed in the past 5 years alone would suggest otherwise, and the case of Tim Horton’s would appear to be no different. To this point, there have also been four lawsuits filed against the company in response to their mobile application data collection practices, in addition to the privacy violations that have been alleged by Canada’s Privacy Commissioner. Much like other accusations that have been filed against major corporations with regard to violations of personal privacy, the wording that Tim Horton has used to describe the location settings within their mobile application was reportedly vague and ambiguous.

Initial allegations

Investigations into Tim Horton’s data protection practices first emerged in 2020, when Canada’s National Post, a conservative broadsheet daily newspaper, reported that the company’s mobile application had the functionality to track the movements of its users, even when the application itself was not being actively used. Subsequently, this report led to a great deal of concern and apprehension across Canada, as Tim Hortons is inarguably one of the most popular fast food restaurants in the country. As a result, “the chain’s parent company, Toronto-based Restaurant Brands International Inc., has faced continuing fallout in the form of four class-action lawsuits launched in British Columbia, Quebec, and Ontario.”

While the specifics may vary, all of these lawsuits hinge on the notion that Tim Horton’s had not been transparent or forthcoming about the scale and scope of personal information that was being collected from users of the company’s mobile application. While mobile applications for use in the fast food industry will typically be limited to ordering food at a particular location, lawsuits levied against Tim Horton’s claim that a wide range of personally identifiable information had been collected from users of the company’s mobile application, including location data that revealed visits that customers had made to medical and healthcare facilities, among other things.

Tim Horton’s response

On the contrary, Tim Hortons has addressed the various claims that have been against the company by stating that they have removed the geolocation technology features within their mobile application altogether. On top of this, Tim Hortons director of communications Michael Oliveira has been quoted as saying that “The company is co-operating with privacy authorities, he added, and made changes in June of 2020 to how it communicates the data its app uses.” Additionally, Oliveira stated that “We’ve also strengthened our internal team that’s focused on enhancing best practices when it comes to privacy and data. We’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app.”

If the allegations that have been made against Tim Horton’s are proven to be true, the data collection practices that the company has implemented would represent a clear violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the nation’s foremost data protection and personal privacy law with respect to both the federal and private sectors. More importantly, however, the company will have violated the trust of the millions of Canadians who patronize Tim Horton’s hundreds of locations across the country, as consumers who enable location services when looking to purchase a cup of coffee are not expecting their personal data privacy rights to be infringed upon as a part of the process.