I don’t know whether to think this is abnormal or not. I think it is not.
Tim Hortons is fast food chain, based in Canada with about 5,000 restaurants in 15 countries, including the United States.
Like many companies, Timmies (yup, that is one of the names for it) has an app.
And, like many companies, the app asked the user for permission to capture the user’s location.
What Timmies didn’t understand is that Canadian privacy laws take user privacy a bit more seriously that U.S. laws do.
Canadian Federal Privacy Commissioner Daniel Therrein said that Tim Hortons app tracked and recorded users’ movements every few minutes on a daily basis, even when the app was not open.
Before you say that your favorite app would not do that, there are many cases in the U.S. and other countries where companies have been accused of similar things.
The Canadian Privacy Commissioner called Hortons’ app a mass invasion of Canadians’ privacy that violated Canadian laws. There are probably other countries where they could also be charged, but likely the U.S. is not one of them. Possible, but not likely.
Timmies generated an “alert” every time a user-entered or exited a Hortons competitor, a major sports venue, their home or their workplace.
The federal investigation was started after a reporter found that the app had tracked his movements more than 2,700 times in less than five months.
The Hortons app had more than a million and a half users as of two years ago.
After they got caught, Hortons says that they removed the geolocation technology from their app.
They changed their data collection tactics in 2019 to reduce the number of events to 10 per day per user. They used this data to collect trends and to push ads to app users.
Once the investigation started, they disabled the location tracking feature. That is probably an indication that they thought they were in trouble.
However, the Canadian feds are smart. They looked at Hortons deal with their new data collection partner, a U.S. company called Radar.
The Privacy Commissioners said that while Hortons was no longer using the data, their contract with Radar did not stop the third party from using and selling the location data to other people. While they said the data was de-identified, researchers say it only takes, on average, 4 pieces of data to re-identify that user.
Unfortunately, this is the norm, and, for the most part, in the U.S., it is not illegal. Credit: Yahoo Financ