It was probably a surprise to many who read James McLeod’s article in June 2020, that Tim Hortons’ app collected detailed location information. Ironically, the journalist learned of the personal information the app collected about him from Tim Horton’s response to his access request. Despite only providing the app permission to use the location functionality of his phone while the app was in use, the app had been collecting user location data as frequently as every few minutes of every day, even when the app was not open.
A joint report issued June 1, 2022 by the Office of the Privacy Commissioner of Canada and the private sector privacy authorities of Quebec, Alberta and British Columbia has confirmed that the collection of users’ location information by Tim Hortons’ app was in violation of various Canadian privacy laws. The regulators also found that Tim Hortons did not adequately protect the personal information and lacked accountability for it.
While many businesses do not track location data, Tim Hortons’ experience is an important lesson to those that do collect other information about users through websites, apps and devices. Some key takeaways include:
- Before collecting personal information, businesses should assess whether it has an appropriate purpose that is reasonable. This assessment is contextual and can depend on the sensitivity of the information. A business does not always appreciate that the data it collects over time can be quite rich and sensitive.
- Do not collect personal information if it is not going to be used. Collecting information for targeted advertising may be legal in many circumstances. Tim Hortons’ vast collection of data over time was not proportional to the potential benefits the company hoped to gain from targeted advertising, however, because that never actually occurred.
The commissioners recommended that Tim Hortons develop a privacy management program that ensures collection is necessary and proportional. Through the investigation, the commissioners did not find there was any assessment of the app before its launch and were concerned about whether Tim Hortons had adequate policies and procedures to ensure compliance.
- Consent requires the user be informed of the scope of data collection and its implications. Businesses should understand the tools they implement and explain them to their users. Transparency is the best approach.
Remember, users cannot provide consent if the purpose for collecting the personal information is not appropriate, reasonable, or compliant with privacy laws. Consent will probably not effectively waive privacy protections afforded to individuals by the law. Since Tim Hortons could not prove a valid purpose for their collection of data, they could not obtain proper consent.
- Organizations have an obligation to ensure service providers adequately protect privacy, limit use and disclosure. The commissioners criticized the contractual protections Tim Hortons implemented to protect user personal information while it was being processed and deemed these protections inadequate. While the third-party service provider, Radar, did not use the data for their own purposes, the contractual clauses were found to be vague and permissive.
Related companies also should have protections in place to ensure the protection of privacy and limitation on use and disclosure when transferred.
Hopefully, Tim Hortons’ experience will raise awareness with individuals and businesses alike, so that we can all be more aware and improve privacy practices for the benefit of all Canadians.
Should you have any questions about privacy protection, limit use and disclosure, a member of our Privacy & Data Management Group can assist.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
- Summer Student
Amit is a summer student in the Vancouver office of Lawson Lundell. He is interested in exploring all practice areas with a particular interest in corporate and real estate matters.
Amit is currently working towards his Juris Doctor ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.
Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage.