❗Article Status Notice: This Article is a stub
This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼
⚠️ A deletion request has been made for this article
There has been a deletion request for this page for the following reason:
Only a few sentences, no NPOV, no inline references.
This request will be reviewed and acted upon by the wiki moderation team within one week of the template being added.
To appeal this deletion request, please make an entry at the Moderator's noticeboard.
Background
In June of 2022, reports in Canada went viral regarding the Tim Hortons Android app which was collecting personal information from users phones without consent. Tim Hortons used a third-party service, Radar, to collect geolocation data of users. it is alleged that they stopped this practice in August of 2020. One of the pieces of data reported back to the Tim Hortons servers included information about when a person with this app on their phone was visiting a competitor coffee shop.
Tim Hortons app tracked too much personal information without adequate consent (May 2019)
Starting in in May 2019 Tim Hortons released updated versions of its App so that it could, with assistance from a US third-party service provider (“Radar”), track and collect the location of Users’ devices. [1]
In August 2020, subsequent to notification of investigation by the Office of the Privacy Commissioner of Canada, Tim Hortons permanently ceased collecting granular location data, via the App, for purposes of targeted advertising.[2]
Investigation Report by the Office of the Privacy Commissioner of Canada (June 1, 2022)
The finding from the investigation are as follows:
- Tim Hortons did not collect or use personal information for appropriate purposes in the circumstances[3]
- Tim Hortons did not obtain valid consent, as would have been required for its collection and use of the Radar Location Data through the App had we found Tim Hortons to have had an appropriate purpose.[4]
During the course of the Investigation two additional concerns were identified:
- The contractual protections Tim Hortons implemented to protect Users’ personal information while being processed by a third-party service provider.[5]
- Accountability, and Tim Hortons’ apparent failure to implement policies and practices to ensure compliance with the Acts.[6]
Tim Hortons' response post investigation
Deletion: [Tim Hortons] agreed to comply with the recommendation detailed in paragraph 90 within one (1) month of the lifting of any relevant litigation holds, which currently prevents [Tim Hortons] from deleting, or effecting deletion, of the data in question, following a final disposition of the matters underlying the litigation holds. In the interim, [Tim Hortons] will not use the data for any purpose other than in relation to the associated litigation. [Tim Hortons] will inform our Offices in writing of its compliance with this commitment within 14 days of completing the required deletions, including with a detailed description of the data deleted by [Tim Hortons] and that deleted by its third-party service providers.[7]
Privacy Management Program: [Tim Hortons] agreed to comply with the recommendations detailed in paragraph 91 and 92 within twelve (12) months of the issuance of this report of findings, noting the effort and resources that would be required to implement such a program. [Tim Hortons] further agreed to provide quarterly written updates to our Offices detailing work completed, and progress to completion, on development and implementation of the privacy management program to date.[8]
Class action lawsuits
Restaurant Brands International Inc., the parent company of Tim Hortons, is facing several class-action lawsuits in relation to its mobile app.
The lawsuits were launched after the Financial Post's reporting on the collection of geolocation data.[9]
See also
Main page[https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/][https://uwaterloo.ca/cybersecurity-privacy-institute/news/tim-hortons-app-violated-privacy-laws-after-collecting]
References
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Joint investigation into location tracking by the Tim Hortons App". Commissariat à la protection de la vie privée. Retrieved September 28, 2025.
- ↑ "Tim Hortons app tracked too much personal information without adequate consent, investigation finds". CBC. Retrieved September 28, 2025.