There’s a privacy hole in this popular doughnut chain’s app

There’s a privacy hole in this popular doughnut chain’s app thumbnail

A Canadian government investigation into Tim Hortons found the coffee chain’s app continually tracked users, collecting location data “even when their app was not open.” In a statement published Wednesday, the Office of the Privacy Commissioner of Canada claimed the app would use that location information to “infer where users lived” and worked, and flag if they went to a competing coffee shop. Officials claim this practice is against Canadian privacy laws.

“Tim Hortons clearly strayed from the line by acquiring a large amount of highly sensitive information regarding its customers. Daniel Therrien, Canadian Privacy Commissioner, stated that following people’s movements for a few minutes every day was clearly an inappropriate form of surveillance.

Tim Hortons used Radar, a third party service provider based out of the United States to track and collect location data. The government Report initially claimed that the company intended to use this data to target advertising. However, they eventually decided to stop using that strategy. Tim Hortons claims it used the data for tracking trends, such as user activity changes during the pandemic. It stopped such data collection after federal and provincial privacy authorities launched their inquiry in 2020. The investigation itself was spurred by a 2020 report in the Financial Post, which first revealed the tracking practices.

[Related: How data brokers threaten your privacy]

Still, officials warned that privacy concerns related to the app remain due to the language of the Radar agreement, which was “so vague and permissive” that Radar could still choose to access and sell “de-identified” location data. (Radar told regulators that it had no intention to do so, saying its “business model is to sell software, not data.”) Experts have cautioned that it can be easy to re-identify data based on user movements and regular routines, creating a significant privacy risk.

The report recommended that Tim Hortons delete all remaining data and call third-party providers Radar to also delete their records. It also requested that the coffee chain retool its privacy management program in order to include “privacy impacts assessments” for its app. According to the statement, Tim Hortons has agreed to move forward with those suggestions. The Verge notes that its app now claims to only use location data to help users find nearby stores for mobile orders.

Colleen Hagerty

Read More