Consumer Rights Wiki

Tim Hortons app collects user data without consent: Difference between revisions

← Older edit
VisualWikitext
Privacywarrior (talk | contribs)
confirmed
70 edits
 
(7 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Stub}}
{{Incomplete}}
{{Delete|Only a few sentences, no NPOV, no inline references.}}
{{IncidentCargo
|Company=Radar, Tim Hortons
 
|StartDate=2019-05
|EndDate=2020-08
|Status=Resolved
|ProductLine=
|Product=Tim Hortons App
|ArticleType=Service
|Type=Data, Privacy
|Description=
}}
==Background==
==Background==
In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop.
In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop.
Line 8: Line 16:
==Tim Hortons app tracked too much personal information without adequate consent (May 2019)==
==Tim Hortons app tracked too much personal information without adequate consent (May 2019)==


Starting in in May 2019 Tim Hortons released updated versions of its App so that it could, with assistance from a US third-party service provider (“Radar”), track and collect the location of Users’ devices. <ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
Starting in in May 2019 Tim Hortons released updated versions of its App so that it could, with assistance from a US third-party service provider (“Radar”), track and collect the location of Users’ devices. <ref name=":0">{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée |archive-url=http://web.archive.org/web/20251009200547/https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |archive-date=9 Oct 2025}}</ref>


In August 2020, subsequent to notification of investigation by the Office of the Privacy Commissioner of Canada, Tim Hortons permanently ceased collecting granular location data, via the App, for purposes of targeted advertising.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
In August 2020, subsequent to notification of investigation by the Office of the Privacy Commissioner of Canada, Tim Hortons permanently ceased collecting granular location data, via the App, for purposes of targeted advertising.<ref name=":0" />


==Investigation Report by the Office of the Privacy Commissioner of Canada (June 1, 2022)==
==Investigation Report by the Office of the Privacy Commissioner of Canada (June 1, 2022)==
Line 16: Line 24:
The finding from the investigation are as follows:
The finding from the investigation are as follows:


*Tim Hortons did not collect or use personal information for appropriate purposes in the circumstances<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
*Tim Hortons did not collect or use personal information for appropriate purposes in the circumstances<ref name=":0" />


*Tim Hortons did not obtain valid consent, as would have been required for its collection and use of the Radar Location Data through the App had we found Tim Hortons to have had an appropriate purpose.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
*Tim Hortons did not obtain valid consent, as would have been required for its collection and use of the Radar Location Data through the App had we found Tim Hortons to have had an appropriate purpose.<ref name=":0" />


During the course of the Investigation two additional concerns were identified:
During the course of the Investigation two additional concerns were identified:


*The contractual protections Tim Hortons implemented to protect Users’ personal information while being processed by a third-party service provider.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
*The contractual protections Tim Hortons implemented to protect Users’ personal information while being processed by a third-party service provider.<ref name=":0" />


*Accountability, and Tim Hortons’ apparent failure to implement policies and practices to ensure compliance with the Acts.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
*Accountability, and Tim Hortons’ apparent failure to implement policies and practices to ensure compliance with the Acts.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée |archive-url=http://web.archive.org/web/20251009200547/https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |archive-date=9 Oct 2025}}</ref>


==Tim Hortons' response post investigation==
==Tim Hortons' response post investigation==


Deletion: [Tim Hortons] agreed to comply with the recommendation detailed in paragraph 90 within one (1) month of the lifting of any relevant litigation holds, which currently prevents [Tim Hortons] from deleting, or effecting deletion, of the data in question, following a final disposition of the matters underlying the litigation holds. In the interim, [Tim Hortons] will not use the data for any purpose other than in relation to the associated litigation. [Tim Hortons] will inform our Offices in writing of its compliance with this commitment within 14 days of completing the required deletions, including with a detailed description of the data deleted by [Tim Hortons] and that deleted by its third-party service providers.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
Deletion: [Tim Hortons] agreed to comply with the recommendation detailed in paragraph 90 within one (1) month of the lifting of any relevant litigation holds, which currently prevents [Tim Hortons] from deleting, or effecting deletion, of the data in question, following a final disposition of the matters underlying the litigation holds. In the interim, [Tim Hortons] will not use the data for any purpose other than in relation to the associated litigation. [Tim Hortons] will inform our Offices in writing of its compliance with this commitment within 14 days of completing the required deletions, including with a detailed description of the data deleted by [Tim Hortons] and that deleted by its third-party service providers.<ref name=":0" />


Privacy Management Program: [Tim Hortons] agreed to comply with the recommendations detailed in paragraph 91 and 92 within twelve (12) months of the issuance of this report of findings, noting the effort and resources that would be required to implement such a program. [Tim Hortons] further agreed to provide quarterly written updates to our Offices detailing work completed, and progress to completion, on development and implementation of the privacy management program to date.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée}}</ref>
Privacy Management Program: [Tim Hortons] agreed to comply with the recommendations detailed in paragraph 91 and 92 within twelve (12) months of the issuance of this report of findings, noting the effort and resources that would be required to implement such a program. [Tim Hortons] further agreed to provide quarterly written updates to our Offices detailing work completed, and progress to completion, on development and implementation of the privacy management program to date.<ref name=":0" />


==Class action lawsuits==
==Class action lawsuits==
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class-action lawsuits in relation to its mobile app.
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class-action lawsuits in relation to its mobile app.


The lawsuits were launched after the Financial Post's reporting on the collection of geolocation data.<ref>{{Cite web |title=Tim Hortons app tracked too much personal information without adequate consent, investigation finds |url=https://www.cbc.ca/news/business/tim-hortons-app-report-1.6473584 |access-date=September 28, 2025 |website=CBC}}</ref>
The lawsuits were launched after the Financial Post's reporting on the collection of geolocation data.<ref name=":0" />
 
 
==See also==
==See also==
[[Main page]][https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/<nowiki>][</nowiki>https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting<nowiki>]</nowiki>
*https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/
 
*https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting
==References==
==References==
{{Reflist}}


<nowiki/>{{Placeholder box|[[mw:Help:VisualEditor/User_guide#Editing_categories|Add a category]] with the same name as the product, service, website, software, product line or company that this article is about.
[[Category:Tim Hortons]]
 
[[Category:2019 incidents]]
The "Incidents" category is not needed.}}
[[Category:2022 incidents]]
 
<references />
Retrieved from "https://consumerrights.wiki/w/Tim_Hortons_app_collects_user_data_without_consent"