Tim Hortons collected location data constantly, without consent, report finds

Hortons hears a sue


From May 2019 through August 2020, the mobile app published by multinational restaurant chain Tim Hortons surveilled customers constantly by gathering their location data without valid consent, according to a Canadian government investigation.

In a report published Wednesday, Office of the Privacy Commissioner (OPC) of Canada and the privacy commissioners from three provinces – Alberta, British Columbia, and Quebec – presented the results of an inquiry that began shortly after the publication of a June 2020 National Post article.

That article revealed the Tim Hortons app tracked location data every few minutes even when relegated to the background, and the report compiled by Canadian privacy officials confirmed as much.

"We found that in May 2019, Tim Hortons released updated versions of its app so that it could, with assistance from a US third-party service provider ('Radar'), track and collect the location of users’ devices," the OPC report reads.

"For the devices of users who provided their 'permission,' Radar would, on behalf of Tim Hortons, collect and process the users' device location, as often as every few minutes, to: (i) infer the location of a user's home and place of work, and when they were traveling; and (ii) identify when the user was visiting a Tim Hortons competitor."

Tim Hortons has almost 5,000 locations in 15 countries. It began in Hamilton, Ontario, as a burger restaurant and expanded as a chain of donut shops until the 1990s. There was a 1995 merger with Wendy's, a return to independence, then a merger with Burger King in 2014. Then later that year the two chains became subsidiaries of parent company Restaurant Brands International.

In the wake of the National Post article, four lawsuits were filed against Tim Hortons alleging privacy law violations.

"All of the complaints allege that the defendants violated the plaintiff's privacy rights, the Personal Information Protection and Electronic Documents Act, consumer protection and competition laws or app-based undertakings to users, in each case in connection with the collection of geolocation data through the Tim Hortons mobile application, and in certain cases, the Burger King and Popeyes mobile applications," the company explains in its latest 10-Q financial report.

We are unable to predict the ultimate outcome of any of these cases or estimate the range of possible loss, if any

"Each plaintiff seeks injunctive relief and monetary damages for himself or herself and other members of the class. These cases are in preliminary stages and we intend to vigorously defend against these lawsuits, but we are unable to predict the ultimate outcome of any of these cases or estimate the range of possible loss, if any."

The OPC investigation concluded that detailed location data had been gathered for the purpose of delivering targeted ads promoting company products, but was never used for that specific purpose. Instead, the Toronto-based restaurant chain used the info, aggregated and de-identified, for usage trend analysis after abandoning its targeted ad plan.

But that being the case, Canadian privacy officials said the data collection was not necessary. The restaurant chain collected a vast amount of sensitive information that wasn't used for its stated purpose and imposed a privacy cost beyond the potential marketing benefits.

The report also found that the app did not obtain valid consent to use location data and made misleading statements to users that it would only collect data when the app was open. In fact, the app collected location data, via its Radar SDK, whether it was in the foreground or background – but not when it was closed/quit.

The app debuted in 2017 and by July 2020 had been downloaded almost 10 million times, though it was only used actively by about 1,600,000 people that month. Following the addition of the Radar SDK to the app in May 2019, the app gathered precise GPS location coordinates and related data like timestamps every 2.5 or 6 minutes – depending on the app version – until the user was determined to be stationary.

The SDK tracked location arrival and departure events (e.g. home, office, competing restaurants) that were referenced in code with constants like:

  • USER_ENTERED_HOME; USER_EXITED_HOME;
  • USER_ENTERED_OFFICE; USER_EXITED_OFFICE;
  • USER_STARTED_TRAVELING; USER_STOPPED_TRAVELING; and
  • USER_ENTERED_GEOFENCE; USER_EXITED_GEOFENCE.

"Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers," said Daniel Therrien, Privacy Commissioner of Canada, in a statement. "Following people's movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians."

In a statement emailed to The Register, a Tim Hortons spokesperson said the company has fully cooperated with the privacy commissions' investigations and is working to implement their recommendations.

The food biz pointed to the report's finding that geolocation data collected was never used for targeted ads and the fact that no new changes to its app have been required. Tim Hortons made the necessary changes already by disabling the Radar SDK in August 2020 and removing the library code a month later.

Illustration of location tracking in a city

Location tracking report: X-Mode SDK use much more widespread than first thought

RELATED

"In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts," a company spokesperson said. "Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app.

"Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business – and the results did not contain personal information from any guests.

"We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we're continuing to focus on ensuring that guests can make informed decisions about their data when using our app."

A Radar spokesperson told The Register in an email that the location data at issue is being retained as a consequence of pending litigation and will be deleted when the company is allowed to do so.

Asked whether there are other apps implementing the Radar SDK without obtaining valid consent, the company said, "Radar's customers are responsible for obtaining appropriate consent. We are not aware of any other situations in which our customers have not obtained appropriate consent for the collection and use of location data." ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022