Tim Hortons collected location data constantly, without consent, report finds

Hortons hears a sue

From May 2019 through August 2020, the mobile app published by multinational restaurant chain Tim Hortons surveilled customers constantly by gathering their location data without valid consent, according to a Canadian government investigation.

In a report published Wednesday, Office of the Privacy Commissioner (OPC) of Canada and the privacy commissioners from three provinces – Alberta, British Columbia, and Quebec – presented the results of an inquiry that began shortly after the publication of a June 2020 National Post article.

That article revealed the Tim Hortons app tracked location data every few minutes even when relegated to the background, and the report compiled by Canadian privacy officials confirmed as much.

"We found that in May 2019, Tim Hortons released updated versions of its app so that it could, with assistance from a US third-party service provider ('Radar'), track and collect the location of users’ devices," the OPC report reads.

"For the devices of users who provided their 'permission,' Radar would, on behalf of Tim Hortons, collect and process the users' device location, as often as every few minutes, to: (i) infer the location of a user's home and place of work, and when they were traveling; and (ii) identify when the user was visiting a Tim Hortons competitor."

Tim Hortons has almost 5,000 locations in 15 countries. It began in Hamilton, Ontario, as a burger restaurant and expanded as a chain of donut shops until the 1990s. There was a 1995 merger with Wendy's, a return to independence, then a merger with Burger King in 2014. Then later that year the two chains became subsidiaries of parent company Restaurant Brands International.

In the wake of the National Post article, four lawsuits were filed against Tim Hortons alleging privacy law violations.

"All of the complaints allege that the defendants violated the plaintiff's privacy rights, the Personal Information Protection and Electronic Documents Act, consumer protection and competition laws or app-based undertakings to users, in each case in connection with the collection of geolocation data through the Tim Hortons mobile application, and in certain cases, the Burger King and Popeyes mobile applications," the company explains in its latest 10-Q financial report.

We are unable to predict the ultimate outcome of any of these cases or estimate the range of possible loss, if any

"Each plaintiff seeks injunctive relief and monetary damages for himself or herself and other members of the class. These cases are in preliminary stages and we intend to vigorously defend against these lawsuits, but we are unable to predict the ultimate outcome of any of these cases or estimate the range of possible loss, if any."

The OPC investigation concluded that detailed location data had been gathered for the purpose of delivering targeted ads promoting company products, but was never used for that specific purpose. Instead, the Toronto-based restaurant chain used the info, aggregated and de-identified, for usage trend analysis after abandoning its targeted ad plan.

But that being the case, Canadian privacy officials said the data collection was not necessary. The restaurant chain collected a vast amount of sensitive information that wasn't used for its stated purpose and imposed a privacy cost beyond the potential marketing benefits.

The report also found that the app did not obtain valid consent to use location data and made misleading statements to users that it would only collect data when the app was open. In fact, the app collected location data, via its Radar SDK, whether it was in the foreground or background – but not when it was closed/quit.

The app debuted in 2017 and by July 2020 had been downloaded almost 10 million times, though it was only used actively by about 1,600,000 people that month. Following the addition of the Radar SDK to the app in May 2019, the app gathered precise GPS location coordinates and related data like timestamps every 2.5 or 6 minutes – depending on the app version – until the user was determined to be stationary.

The SDK tracked location arrival and departure events (e.g. home, office, competing restaurants) that were referenced in code with constants like:


"Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers," said Daniel Therrien, Privacy Commissioner of Canada, in a statement. "Following people's movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians."

In a statement emailed to The Register, a Tim Hortons spokesperson said the company has fully cooperated with the privacy commissions' investigations and is working to implement their recommendations.

The food biz pointed to the report's finding that geolocation data collected was never used for targeted ads and the fact that no new changes to its app have been required. Tim Hortons made the necessary changes already by disabling the Radar SDK in August 2020 and removing the library code a month later.

Illustration of location tracking in a city

Location tracking report: X-Mode SDK use much more widespread than first thought


"In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts," a company spokesperson said. "Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app.

"Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business – and the results did not contain personal information from any guests.

"We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we're continuing to focus on ensuring that guests can make informed decisions about their data when using our app."

A Radar spokesperson told The Register in an email that the location data at issue is being retained as a consequence of pending litigation and will be deleted when the company is allowed to do so.

Asked whether there are other apps implementing the Radar SDK without obtaining valid consent, the company said, "Radar's customers are responsible for obtaining appropriate consent. We are not aware of any other situations in which our customers have not obtained appropriate consent for the collection and use of location data." ®

Other stories you might like

  • If Twitter forgets your timeline preference, and you're using Safari, this is why
    Privacy through amnesia not ideal for remembering user choice

    Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.

    Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.

    So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.

    Continue reading
  • Big Tech silent on data privacy in post-Roe America
    We asked what they will do to prevent cases being built against women. So far: Nothing

    Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.

    These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.

    Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022