Tim Hortons app collects user data without consent: Difference between revisions
No edit summary |
|||
| (9 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
{{ | {{Incomplete}} | ||
{{ | {{IncidentCargo | ||
In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop. | |Company=Radar, Tim Hortons | ||
|StartDate=2019-05 | |||
|EndDate=2020-08 | |||
|Status=Resolved | |||
|ProductLine= | |||
|Product=Tim Hortons App | |||
|ArticleType=Service | |||
|Type=Data, Privacy | |||
|Description= | |||
}} | |||
==Background== | |||
In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop. | |||
== | ==Tim Hortons app tracked too much personal information without adequate consent (May 2019)== | ||
= | Starting in in May 2019 Tim Hortons released updated versions of its App so that it could, with assistance from a US third-party service provider (“Radar”), track and collect the location of Users’ devices. <ref name=":0">{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée |archive-url=http://web.archive.org/web/20251009200547/https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |archive-date=9 Oct 2025}}</ref> | ||
{{ | |||
In August 2020, subsequent to notification of investigation by the Office of the Privacy Commissioner of Canada, Tim Hortons permanently ceased collecting granular location data, via the App, for purposes of targeted advertising.<ref name=":0" /> | |||
=== | ==Investigation Report by the Office of the Privacy Commissioner of Canada (June 1, 2022)== | ||
The finding from the investigation are as follows: | |||
*Tim Hortons did not collect or use personal information for appropriate purposes in the circumstances<ref name=":0" /> | |||
*Tim Hortons did not obtain valid consent, as would have been required for its collection and use of the Radar Location Data through the App had we found Tim Hortons to have had an appropriate purpose.<ref name=":0" /> | |||
During the course of the Investigation two additional concerns were identified: | |||
*The contractual protections Tim Hortons implemented to protect Users’ personal information while being processed by a third-party service provider.<ref name=":0" /> | |||
The | |||
*Accountability, and Tim Hortons’ apparent failure to implement policies and practices to ensure compliance with the Acts.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée |archive-url=http://web.archive.org/web/20251009200547/https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |archive-date=9 Oct 2025}}</ref> | |||
== | ==Tim Hortons' response post investigation== | ||
Deletion: [Tim Hortons] agreed to comply with the recommendation detailed in paragraph 90 within one (1) month of the lifting of any relevant litigation holds, which currently prevents [Tim Hortons] from deleting, or effecting deletion, of the data in question, following a final disposition of the matters underlying the litigation holds. In the interim, [Tim Hortons] will not use the data for any purpose other than in relation to the associated litigation. [Tim Hortons] will inform our Offices in writing of its compliance with this commitment within 14 days of completing the required deletions, including with a detailed description of the data deleted by [Tim Hortons] and that deleted by its third-party service providers.<ref name=":0" /> | |||
Privacy Management Program: [Tim Hortons] agreed to comply with the recommendations detailed in paragraph 91 and 92 within twelve (12) months of the issuance of this report of findings, noting the effort and resources that would be required to implement such a program. [Tim Hortons] further agreed to provide quarterly written updates to our Offices detailing work completed, and progress to completion, on development and implementation of the privacy management program to date.<ref name=":0" /> | |||
==Class action lawsuits== | |||
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class-action lawsuits in relation to its mobile app. | |||
https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting | The lawsuits were launched after the Financial Post's reporting on the collection of geolocation data.<ref name=":0" /> | ||
==See also== | |||
*https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/ | |||
*https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting | |||
==References== | |||
{{Reflist}} | |||
[[Category:Tim Hortons]] | |||
[[Category:2019 incidents]] | |||
[[Category:2022 incidents]] | |||
Latest revision as of 04:59, 6 March 2026
⚠️ Article status notice: This article has been marked as incomplete
This article needs additional work for its sourcing and verifiability to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues.
This notice will be removed once sufficient documentation has been added to establish the systemic nature of these issues. Once you believe the article is ready to have its notice removed, please visit the Moderator's noticeboard, or the discord and post to the #appeals channel.
Learn more ▼
Background
[edit | edit source]In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop.
Tim Hortons app tracked too much personal information without adequate consent (May 2019)
[edit | edit source]Starting in in May 2019 Tim Hortons released updated versions of its App so that it could, with assistance from a US third-party service provider (“Radar”), track and collect the location of Users’ devices. [1]
In August 2020, subsequent to notification of investigation by the Office of the Privacy Commissioner of Canada, Tim Hortons permanently ceased collecting granular location data, via the App, for purposes of targeted advertising.[1]
Investigation Report by the Office of the Privacy Commissioner of Canada (June 1, 2022)
[edit | edit source]The finding from the investigation are as follows:
- Tim Hortons did not collect or use personal information for appropriate purposes in the circumstances[1]
- Tim Hortons did not obtain valid consent, as would have been required for its collection and use of the Radar Location Data through the App had we found Tim Hortons to have had an appropriate purpose.[1]
During the course of the Investigation two additional concerns were identified:
- The contractual protections Tim Hortons implemented to protect Users’ personal information while being processed by a third-party service provider.[1]
- Accountability, and Tim Hortons’ apparent failure to implement policies and practices to ensure compliance with the Acts.[2]
Tim Hortons' response post investigation
[edit | edit source]Deletion: [Tim Hortons] agreed to comply with the recommendation detailed in paragraph 90 within one (1) month of the lifting of any relevant litigation holds, which currently prevents [Tim Hortons] from deleting, or effecting deletion, of the data in question, following a final disposition of the matters underlying the litigation holds. In the interim, [Tim Hortons] will not use the data for any purpose other than in relation to the associated litigation. [Tim Hortons] will inform our Offices in writing of its compliance with this commitment within 14 days of completing the required deletions, including with a detailed description of the data deleted by [Tim Hortons] and that deleted by its third-party service providers.[1]
Privacy Management Program: [Tim Hortons] agreed to comply with the recommendations detailed in paragraph 91 and 92 within twelve (12) months of the issuance of this report of findings, noting the effort and resources that would be required to implement such a program. [Tim Hortons] further agreed to provide quarterly written updates to our Offices detailing work completed, and progress to completion, on development and implementation of the privacy management program to date.[1]
Class action lawsuits
[edit | edit source]Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class-action lawsuits in relation to its mobile app.
The lawsuits were launched after the Financial Post's reporting on the collection of geolocation data.[1]
See also
[edit | edit source]- https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/
- https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting
References
[edit | edit source]- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Archived from the original on 9 Oct 2025. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Archived from the original on 9 Oct 2025. Retrieved September 28, 2025.