If you think that other companies aren’t doing this for one hot second, you’re crazy.

The Tim Hortons app used location data to infer where users lived, worked, and whether they were travelling. It generated an “event” every time users entered and left their homes, entered and exited their office, or travelled. https://t.co/ZvPJnTx8CT pic.twitter.com/yx1q8dqQtH

— OPC (@PrivacyPrivee) June 1, 2022

Canada’s Privacy Commissioner: We found that in May 2019, Tim Hortons released updated versions of its App so that it could, with assistance from a US third-party service provider (“Radar”), track and collect the location of Users’ devices.  For the devices of Users who provided their “permission”, Radar would, on behalf of Tim Hortons, collect and process the Users’ device location, as often as every few minutes, to: (i) infer the location of a User’s home and place of work, and when they were travelling; and (ii) identify when the User was visiting a Tim Hortons competitor.

We determined that Tim Hortons collected the granular location data in question for purposes of delivering targeted advertising, to better promote its coffee and associated products, but that it never used the data for this identified purpose. Tim Hortons’ actual use of the data was very limited, as the company decided to refocus on other commercial priorities shortly after updating the App and the company used the data on an aggregated, de-identified basis to conduct limited analytics related to User trends.

In our view, Tim Hortons did not collect and use the granular location data in question for an appropriate purpose in the circumstances. First, Tim Hortons did not have a legitimate need to collect vast amounts of sensitive location information where it never used that information for its stated purpose. Furthermore, the consequences associated with the App’s collection of that data, the vast majority of which was collected when the App was not in use, represented a loss of Users’ privacy that was not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted promotion of its coffee and associated products.

Although Users cannot provide consent when the purpose for the collection, use and disclosure of personal information is not appropriate, reasonable or legitimate within the meaning of the Acts, we nonetheless reviewed Tim Hortons’ attempts to obtain consent. We found that Tim Hortons did not obtain valid consent, as would have been required for its collection and use of the data in question had we found Tim Hortons to have had an appropriate purpose. Tim Hortons failed to inform Users that it would collect their location information even when the App was closed, which would result in much more extensive collection, as compared to collection while the App was in use. Relatedly, it also made misleading statements to Users (in certain permission requests and FAQs) that it would only collect information when the App was open. Finally, Tim Hortons also failed to ensure Users understood the consequences of consenting to the continual collection of granular location data when the app was closed, which could result in their location information being collected as often as every few minutes, every day, everywhere they traveled, when their device was on.

Additionally, while we did not conduct an in-depth review of the contractual terms between RBI and Radar, we noted concerns with respect to contractual protections Tim Hortons implemented to protect Users’ personal information while being processed by Radar. The language in those contractual clauses was vague and permissive and indicated that the service provider could have used User information for its own purposes, or disclosed such data and information in aggregated or de-identified form (which could still represent personal information) in connection with its own business.

NO WAY!!!

https://twitter.com/elisundaes/status/1533093435502116865?s=20

Doug Ford’s FAVOURITE hedge fund, RBI Brands International, engaged in illegal data harvesting and tracking their customers!??

NO WAY!!!

And you’re telling me Tim Horton’s used vague language in their contractual terms to steal information from people’s phones to generate more revenue for their shareholders??

NO WAY!!!

How shit is their coffee if they feel like they have to use illegal surveillance of customers to get us to spend money? Seriously.

Here’s an idea:

Maybe have the ingredients for your menu items before you start hacking phones to drive traffic

Last week I went to Tim’s to grab my son a sandwich before his baseball game. This was the exchange:

Me: I’ll have two chicken craveables, please?

Them: We don’t have buns 

Me: Can I get a loaded chicken wrap?

Them: We don’t got no chicken (yes, just like that).

Me: OK, let’s start with what you DO have?

Them: We don’t got donuts, chicken or buns but we have the other stuff

Me: DO you have Chili?

Them: No. We don’t have that stuff. Or Decaf

That only happens to everyone, everyday. I’m not special.

Makes you wonder why Tim’s was trying to get people into their stores when they don’t have thing to sell.

DB

*If you HAVE to get their coffee, go dark roast with a shot of vanilla flavour. You’re welcome.

**Every app tracks you.

Cheers!