Restaurant’s data collection practices investigated
Officials look into whether chain obtains ‘meaningful consent’ for data collection
In a rare move, four Canadian privacy commissioners said Monday they are launching an investigation into data collection practices by Tim Hortons on its mobile ordering app.
In a joint statement, the federal privacy commissioner, along with provincial commissioners in Quebec, Alberta and British Columbia, said they are now formally investigating.
Earlier this month, The Financial Post reported that the restaurant chain’s app was accessing a user’s location data as often as every three to five minutes, even when the app wasn’t open. That data was being transmitted to an American company called Radar Labs, which was analyzing the data to infer where users lived and worked, and the app logged every time the company thought a user was visiting one of Tim Hortons’ competitors, such as Starbucks or Mcdonald’s.
The privacy commissioners said they “will look at whether the organization is obtaining meaningful consent from app users to collect and use their geolocation data for purposes which could include the amassing and use of detailed user profiles, and whether that collection and use of the data is appropriate in the circumstances.”
In an emailed statement, Tim Hortons chief corporate officer Duncan Fulton said that the company will fully co-operate with the investigation, and that the company has discontinued the background data collection practices that the Financial Post documented earlier this year.
“Since Tim Hortons launched our mobile app, our guests always had the choice of whether they share location data with us, including ‘always’ sharing location data — an option offered by many companies on their own apps,” Fulton said.
“We recently updated the Tim Hortons app to limit the collection of location data to only while guests have our app open, even if a guest has selected ‘Always’ in their device settings.”
The Tim Hortons app needs to know a user’s location to route an order to the nearest restaurant, but the company said that logging user location in the background also allowed it to target relevant promotional offers to customers.
The company, which is a subsidiary of Toronto-based Restaurants Brand International Inc., has repeatedly said that users consented to tracking because they gave the app location permission, but Ann Cavoukian, a former Ontario privacy commissioner and outspoken privacy advocate, called that “ridiculous.”
“No one had the expectation that this information was being collected and retained — the cellphone geolocation data. It’s absurd to think that people were consenting to that,” Cavoukian said.
“I’m really glad that all these commissioners are working together to address this issue, because they see it is such an absurdity, the total lack of transparency.”
Brenda Mcphail, director of the Privacy, Surveillance, and Technology Project with the Canadian Civil Liberties Association, said that the joint investigation by the four privacy commissioners is significant as B.C., Alberta and Quebec are the only three provinces with their own privacy laws distinct from the federal law.
“What it means when all four of those commissioners get together is that they’re looking to do an investigation that is relevant in every jurisdiction in Canada,” Mcphail said. “They’re making really sure that there are no gaps in this investigation.”
The case also highlights the flaws in Canada’s privacy laws, as investigations typically only come about after public attention and media reporting. “The law regulating private sector use of information in Canada is not strong enough, and the enforcement is insufficient to hold companies properly to account,” Mcphail said.
Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, said that the Tim Hortons case demonstrates that regulations need to improve, but the backlash also shows that companies should be careful not to overreach with data collection. “If we don’t have effective regulation, I don’t think we’re going to reach the kind of solution that many would like to see . ... it’s clear that the public has certain red lines, so to speak,” he said.
The law regulating private sector use of information in Canada is not strong enough.