Tim Horton’s app responsible for massive data breach

According to Canadian Privacy Commissioner Daniel Therrien, Tim Hortons’ mobile app violated privacy laws by collecting “large amounts” of sensitive geolocation data.

That’s the finding of a joint investigation by federal and provincial privacy officials released on Wednesday.

For example, the movements of people who had downloaded the application before the survey began, i.e. in 2020, were tracked and recorded every few minutes even when their application was not open, in violation of Canada’s personal data protection laws.

The application used geolocation data to infer where users lived and worked and to determine if they were traveling. It generated a mention when users entered or exited companies that compete with Tim Hortons. The same warning was issued every time a user entered a place where sporting events were held, his place of residence and his place of work.

“Tim Hortons has gone way too far by collecting a huge amount of very sensitive information about his customers. This case shows once again the damage that poorly designed technologies can do. It also underscores the need for strong laws to protect Canadians’ personal information,” said Daniel Therrien, Data Protection Commissioner of Canada, in a press release.

The company stopped tracking this data after the investigation began. The legal ramifications for these types of actions are likely to be minimal, as nothing is provided for in the Privacy Act of Canada and laws protecting personal information.

“Without due diligence, Tim Hortons collected sensitive customer information through his app without their knowledge or consent. To put an end to this type of practice, Quebec has revised its legislation on the protection of personal data to give the Commission more powers and make companies more accountable,” said Me Diane Poitras, President of the Commission d’accès à l’ information du Quebec.

Therefore, from September 2023, “significant penalties are foreseen for companies that do not adopt responsible, transparent and legal practices,” Ms Poitras said.

Leave a Comment