Consumer Rights Wiki

Tim Hortons app collects user data without consent: Difference between revisions

← Older edit
VisualWikitext
No edit summary
 
(9 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{Stub}}
{{Incomplete}}
{{Delete|Only a few sentences, no NPOV, no inline references.}}
{{IncidentCargo
In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop.  
|Company=Radar, Tim Hortons
|StartDate=2019-05
|EndDate=2020-08
|Status=Resolved
|ProductLine=
|Product=Tim Hortons App
|ArticleType=Service
|Type=Data, Privacy
|Description=
}}
==Background==
In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop.


==Background==
==Tim Hortons app tracked too much personal information without adequate consent (May 2019)==
{{Placeholder box|In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop. }}


==[Incident]==
Starting in in May 2019 Tim Hortons released updated versions of its App so that it could, with assistance from a US third-party service provider (“Radar”), track and collect the location of Users’ devices. <ref name=":0">{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée |archive-url=http://web.archive.org/web/20251009200547/https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |archive-date=9 Oct 2025}}</ref>
{{Placeholder box|Change this section's title to be descriptive of the incident.


Impartial and complete description of the events, including actions taken by the company, and the timeline of the incident coming to the public's attention.}}
In August 2020, subsequent to notification of investigation by the Office of the Privacy Commissioner of Canada, Tim Hortons permanently ceased collecting granular location data, via the App, for purposes of targeted advertising.<ref name=":0" />


===[Company]'s response===
==Investigation Report by the Office of the Privacy Commissioner of Canada (June 1, 2022)==
{{Placeholder box|If applicable, add the proposed solution to the issues by the company.}}


The finding from the investigation are as follows:


==Lawsuit==
*Tim Hortons did not collect or use personal information for appropriate purposes in the circumstances<ref name=":0" />
{{Placeholder box|If applicable, add any information regarding litigation around the incident here.


===Claims===
*Tim Hortons did not obtain valid consent, as would have been required for its collection and use of the Radar Location Data through the App had we found Tim Hortons to have had an appropriate purpose.<ref name=":0" />
Main claims of the suit.


===Rebuttal===
During the course of the Investigation two additional concerns were identified:
The response of the company or counterclaims.


===Outcome===
*The contractual protections Tim Hortons implemented to protect Users’ personal information while being processed by a third-party service provider.<ref name=":0" />
The outcome of the suit, if any.}}


*Accountability, and Tim Hortons’ apparent failure to implement policies and practices to ensure compliance with the Acts.<ref>{{Cite web |title=Joint investigation into location tracking by the Tim Hortons App |url=https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |access-date=September 28, 2025 |website=Commissariat à la protection de la vie privée |archive-url=http://web.archive.org/web/20251009200547/https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/ |archive-date=9 Oct 2025}}</ref>


==Consumer response==
==Tim Hortons' response post investigation==
{{Placeholder box|Summary and key issues of prevailing sentiment from the consumers and commentators that can be documented via articles, emails to support, reviews and forum posts.}}


Deletion: [Tim Hortons] agreed to comply with the recommendation detailed in paragraph 90 within one (1) month of the lifting of any relevant litigation holds, which currently prevents [Tim Hortons] from deleting, or effecting deletion, of the data in question, following a final disposition of the matters underlying the litigation holds. In the interim, [Tim Hortons] will not use the data for any purpose other than in relation to the associated litigation. [Tim Hortons] will inform our Offices in writing of its compliance with this commitment within 14 days of completing the required deletions, including with a detailed description of the data deleted by [Tim Hortons] and that deleted by its third-party service providers.<ref name=":0" />


==References==
Privacy Management Program: [Tim Hortons] agreed to comply with the recommendations detailed in paragraph 91 and 92 within twelve (12) months of the issuance of this report of findings, noting the effort and resources that would be required to implement such a program. [Tim Hortons] further agreed to provide quarterly written updates to our Offices detailing work completed, and progress to completion, on development and implementation of the privacy management program to date.<ref name=":0" />
https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/


https://www.cbc.ca/news/business/tim-hortons-app-report-1.6473584
==Class action lawsuits==
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class-action lawsuits in relation to its mobile app.


https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting<nowiki/>{{Placeholder box|[[mw:Help:VisualEditor/User_guide#Editing_categories|Add a category]] with the same name as the product, service, website, software, product line or company that this article is about.
The lawsuits were launched after the Financial Post's reporting on the collection of geolocation data.<ref name=":0" />
==See also==
*https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/
*https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting
==References==
{{Reflist}}


The "Incidents" category is not needed.}}
[[Category:Tim Hortons]]
[[Category:2019 incidents]]
[[Category:2022 incidents]]
Retrieved from "https://consumerrights.wiki/w/Tim_Hortons_app_collects_user_data_without_consent"