On June 1, 2022, the Office of the Privacy Commissioner of Canada and the provincial privacy commissioners of Alberta, British Columbia and Québec (collectively, the Commissioners) released their findings of a joint two-year investigation into the Tim Hortons mobile ordering application (the App), as previously reported by the E-TIPS® Newsletter here. The Commissioners determined that the App violated applicable federal and provincial privacy laws by collecting location data of its users, without their adequate knowledge or valid consent.
The Commissioners focused their investigation on whether The TDL Group Corp. and its parent company (collectively, Tim Hortons):
The Commissioners’ investigation found that for users who provided permission to access their mobile device’s geolocation, the App continuously collected their location data as long as their device was on. Tim Hortons’ third-party service provider collected and processed location data to (i) infer the location of a user’s home, place of work, and whether they were travelling; and (ii) identify when a user visited a competitor of Tim Hortons.
The Commissioners found that, while Tim Hortons’ stated purpose for the collection of the location data was for targeted advertising and to better promote its products, it never used the data for this identified purpose. Instead, Tim Hortons only used aggregated location data in a limited way to analyze user trends.
The Commissioners determined that Tim Hortons’ collection of location data was not for an appropriate purpose that a reasonable person would consider in the circumstances. Moreover, there was no legitimate need to collect vast amounts of sensitive location data where such data was never used for the identified purpose, and the resulting loss to users’ privacy was not proportional to the potential benefits Tim Hortons may have obtained through targeted advertising of its products.
The Commissioners concluded that Tim Hortons did not obtain meaningful or valid consent as it (i) failed to inform users about collection of their location even when the App was closed; (ii) made misleading statements to users about data collection; and (iii) did not ensure users understood the consequences of consenting to the continual collection of their location data.
As a result of the investigation, the Commissioners recommended, and Tim Hortons agreed to:
The Commissioners emphasized the broader privacy concerns when collecting location data in their report, noting that location data is highly sensitive when tracked over time and can be used to infer an individual’s home, place of work and other personal information. The Commissioners highlighted that, even when de-identified, there is a real risk that de-identified location data could be re-identified, and these risks are important to consider when assessing the proportionality of the loss of individuals’ privacy to the benefits for the organization when collecting location data.
Summary By: Anna Troshchynsky
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.