I’ve been reading an article by James McCleod on how he discovered that the Tim Hortons app was tracking consumers’ location in violation of their written privacy assurances. Tim Hortons is a popular coffee/fast food chain in Canada. It is owned by Restaurant Brands International (RBI).
James had requested his data from RBI under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) last fall and then spent months wading through it, trying to understand what they had amassed about him.
According to the data, Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app.
And that had not been James’ understanding of what the app was allowed to do.
Within the Tim Hortons app, an FAQ covering privacy issues told customers that it tracks location “only when you have the app open,” but that did not appear to be entirely true based on the data RBI provided to me.
After the Financial Post asked about the apparent discrepancy, the company changed its privacy statement to say that users’ ability to limit location tracking varies “depending on your device” and the company now states that users should “check and understand your device settings” to make sure they are comfortable with how much location information they’re sharing.
I had no idea how extensive the tracking data was until I saw it.
Read his whole article to find out more about how beginning last year, RBI, using a Brooklyn firm called Radar Labs, basically pinged his phone every few minutes, regardless of whether he had the app open or not. And the data and “insights” the data collection generated were used to indicate whether he might be going into a competitor’s or might be at his home or his office.
It’s bad, yeah.
And when the company found out that they were about to be publicly raked over the coals for their practices, they quickly changed the FAQ for their app’s privacy.
From a conversation on Twitter, I have been told that the Office of the Privacy Commissioner could investigate and issue findings, but has no authority to fine the company. For that, consumers might have to launch a potential class action lawsuit. I do not understand Canadian law well enough to know how that would work — whether there needs to be any concrete injury or if the injury to dignity and privacy by tracking people without their knowledge or informed consent is sufficient grounds for a suit. I hope it’s the latter, and do hope that consumers in Canada pursue this.