Tim Hortons used its mobile app to collect “vast amounts of location data” from users, including tracking when they visited competing coffee shops, says Canada’s privacy watchdog. Yesterday, the Office of the Privacy Commissioner of Canada released the results of a 2020 investigation into the coffee and donut chain, demanding it delete any remaining location data and limit future collection. Tim Hortons, the commission says, has agreed to implement the regulations.
The full report outlines a sweeping, invasive attempt to deduce Tim Hortons customers’ behavior in order to target advertising at them — although the company apparently never actually used the data for that purpose. It notes that in May 2019, Tim Hortons updated its mobile app to collect granular, frequent location updates from users’ phones. American geofencing platform Radar analyzed patterns in the data to infer where users lived, when they worked, and when they were traveling. The app’s near-constant collection clashed with statements that it only gathered location information when the app was open, and Tim Hortons only updated its disclosures when the Financial Post published an article exposing its detailed data collection — sparking the commission’s investigation.
The app guessed users’ home locations and flagged when they went to sporting events
According to records reviewed by the commission, Tim Hortons sought the data to support trend reports saying customers were switching to its competitors — and as the COVID-19 pandemic unfolded, to track shifts away from downtown locations and toward closer-to-home suburban ones. Its Radar-enabled analysis generated an “event” whenever users visited one of nine Tim Hortons competitors, including McDonald’s, Starbucks, and Second Cup Café. It also checked when people were visiting major sports venues, and it flagged when people left and returned to their place of business. The commission found that Radar generated an average of around 10 events per day for each user.
Tim Hortons apparently considered using the data to run tailored promotional offers based on where users were located, but it ended up refocusing its efforts and used it only for broad trend-based analysis. The commission notes that, even if the data wasn’t used, it was still stored by default for a year — and although it was supposed to be anonymized, numerous studies show it’s not hard to identify individuals based on supposedly anonymous data. Tim Hortons discontinued the program in 2020, a few days after the investigation was announced.
Many smartphone apps track users’ movements, including some that give third parties broad access to that data. Some restaurants have even openly promoted their tracking programs. In 2018, Burger King encouraged people to download the app and order discounted Whoppers when in the vicinity of a McDonald’s. A Skift Table report from the same year found that many restaurants’ apps tracked users without clearly disclosing the practice. But Tim Hortons is apparently no longer one of them. It says its app now only uses location data to identify nearby locations for placing mobile orders, and the commission “uncovered no evidence to the contrary.”