The Canadian government has accused Canadian coffee chain Tim Hortons of spying on its customers. A report from the Office of the Privacy Commissioner of Canada (OPC), which launched an investigation into the app in June 2020, revealed the news.
The investigation was triggered by a news article from The Financial Post. The journalist reported that in less than five months, the Tim Hortons app tracked his longitude and latitude coordinates more than 2,700 times, and not just when he was using the app. The OPC’s aimed to examine whether Tim Hortons was compliant with Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), if the app got meaningful consent from its users, and whether the data it collected was appropriate.
The results of the report are not great for Tim Horton’s. It found that Tim Hortons, with the help of a US platform called Radar, updated the app in May 2019 to continually track and collect the location of users’ devices who provided consent. However, the OPC did not regard this consent as meaningful since the app did not disclose the extent of its data collection and that it would collect data even when the app was closed. Radar was able to use the information it collected in the app to analyze a user’s home, place of work, and when they were visiting a competitor of Tim Hortons. It collected such information as often as every few minutes.
The report goes on to state that although Tim Hortons did not end up using much of the data for marketing or creating better products, it finds that its data collection user tracking was not appropriate given the circumstances and gravely impacted user privacy. The data was also stored for over a year without being used.
Based on its findings, the OPC ordered Tim Horton’s to delete the granular data it collected, and any further data derived from it and to order all third-party providers to do the same. Tim Hortons has since complied. The company also stopped collecting that kind of data via its app once the investigation began in 2020.
Although one company was caught out in its illegitimate data collection via an app, it’s safe to assume that plenty more are doing much the same with dubious consent. While it’s essential to always read through a user agreement before consenting, what about when what you’re agreeing to isn’t made clear? In 2021, Apple started giving users the option to restrict how their apps track them, which is a step in the right direction. But there’s still a way to go before we get true privacy on our phones.
In the meantime, here are me things you can do to help protect yourself while using your phone:
- Check your privacy settings and ensure you approve of all the current permissions and turn off any you don’t
- Use a VPN so that all your apps are encrypted
- Delete the default browser and use a privacy-focused one
- Only visit websites with an SSL certificate
- Only use app store-approved apps and read the fine print carefully before installing
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.