By now, we are used to seeing notifications on our phones asking whether we would like certain applications to track our activity across other companies’ apps and websites. Typically, these tracking tools are used to examine and assess advertising efficiency. Although beneficial marketing tools, companies must be mindful of how tracking tools are used on their platform to avoid infringing on individuals’ data privacy rights.

Recently, Canadian regulators found that Tim Hortons, a coffee and bake shop chain, violated Canada’s federal privacy laws, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), by tracking customers’ (who downloaded its app) movement every few minutes of every day. Following an app update in May 2019, the company allegedly tracked users not only when using the app, but whenever individuals’ devices were turned on –collecting massive amounts of location data without users’ knowledge.

In 2020, the Office of the Privacy Commissioner of Canada (OPC) and Canada’s three provincial private-sector privacy authorities (collectively, the “Regulators”) commenced a joint investigation into Tim Hortons and its parent company. The investigation stemmed from a news article in which the author detailed how he discovered the Tim Hortons’ app was tracking him nonstop, despite permitting the app to access the location functionality of his cellphone only while the app was open. The app instead tracked the author’s location even when it was closed (allegedly more than 2,700 times in less than five months), to infer his home, place of work, travel status, and when he was visiting a Tim Hortons competitor. Following this article’s publication, the Regulators sought to determine whether Tim Hortons:

  1. collected and used granular GPS-based location information through the app for a purpose that a reasonable person would consider appropriate and reasonable to fulfill a legitimate need; and
  2. obtained adequate consent from app users to collect and use their granular location data.

After a two-year investigation, the Regulators concluded the answer to both questions was “no” and found four primary issues with Tim Hortons’ tracking practices.

  • Improper Use of Location Data. Regulators determined that Tim Hortons collected granular location data to deliver targeted advertising, to better promote its coffee and associated products, but that it never used the data for this identified purpose. Even though Tim Hortons’ actual use of the data was minimal and used on an aggregated, de-identified basis to conduct limited analytics related to user trends, the Regulators found that Tim Hortons did not collect and use the location data for an appropriate purpose.

The Regulators found that “Tim Hortons did not have a legitimate need to collect vast amounts of sensitive location information where it never used that information for its stated purpose. Furthermore, the consequences associated with the [a]pp’s collection of that data, the vast majority of which was collected when the [a]pp was not in use, represented a loss of [u]sers’ privacy that was not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted promotion of its coffee and associated products.”

  • No Valid Consent. The Regulators also found that Tim Hortons did not obtain valid consent, as would have been required to collect and use the data had they found Tim Hortons had an appropriate purpose. According to the OPC, Tim Hortons failed to inform users that it would collect their location information even when the app was closed, resulting in much more extensive collection than collection only while the app was in use. The company also made misleading statements to users (in certain permission requests and FAQs) that it would only collect information when the app was open. Finally, Tim Hortons failed to ensure users understood the consequences of consenting to the continual collection of granular location data when the app was closed, which could lead to their location information being collected as often as every few minutes, every day, and everywhere they traveled when their device was on.
  • Service Providers’ Use of Data. OPC also noted concerns with the contractual provisions Tim Hortons implemented to protect users’ personal information while being processed by third-party service providers. The Regulators found that language in Tim Hortons’ contracts was vague and permissive and indicated that the service provider could have used user information for its own purposes, or disclosed such data and information in aggregated or de-identified form which could still represent personal information in connection with its own business. The Regulators stated, “[w]e would have expected to see more robust protections, particularly given the volume and potential sensitivity of the location information in question, and heightened risk in the broader context of the current location tracking ecosystem, where valuable location information can be gathered by apps, and app service providers, and disclosed to data aggregators for targeted advertising and other purposes, without the knowledge of affected individuals.”
  • Lack of Accountability. Regulators also concluded that Tim Hortons’ lacked accountability, stating “(i) collection of vast amounts of sensitive personal information for over a year without ever using that information for its stated purpose; and (ii) attempts to obtain consent via permission requests that were materially different across mobile platforms, and inconsistent with the app’s actual operation” was irresponsible.

In response to recommendations by the Regulators, Tim Hortons agreed to: (i) delete all granular location data in question, as well as data derived therefrom, and have its third-party service providers do the same, within one month after legal impediments (in the form of a litigation hold) have been lifted; and (ii) establish, and maintain, a privacy management program for the app and any other apps that the company launches in the future, to comply with Canadian law. Notably, the Regulators did not impose monetary fines and instead focused on privacy reform.

What We Can Learn From Tim Hortons

Data privacy compliance impacts businesses in all industries. Regardless of the product or service, all companies want and use data to improve their products and services, learn about customers and competition, and attempt to grow their business.  While expanding your company’s digital footprint can be great for marketing and advertising, it can also have significant data privacy implications. Understanding the interworking of your application(s)’ and website(s)’ (“platform”) tracking tools, providing appropriate disclosures of the specific tracking devices employed, and obtaining consent to track your platform users are vital.

The Tim Horton tracking issues discussed above are not solely limited to Canadian law. Several pending U.S. laws, such as California’s Consumer Privacy Rights Act (CPRA), Colorado’s Privacy Act (CPA), Connecticut’s An Act Concerning Personal Data Privacy and Online Monitoring, Utah’s Consumer Privacy Act (UCPA), and Virginia’s Consumer Data Protection Act (VCDPA), which take effect in 2023, impose similar consent and disclosure requirements when it comes to collecting geolocation data and using tracking signals for targeted advertising. As a best practice, companies should consider:

  • reviewing your platform’s privacy policy and terms of use anytime functional changes are made to the platform;
  • conducting routine checks on your platform to assess whether your company is obtaining the appropriate consent for all data collected; and
  • examining whether appropriate and accurate notice of tracking signals is disclosed to platform users with specificity.

For more information on data tracking best practices and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.