IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Tim Hortons 'offers free coffee and donut' to app users to settle data lawsuit

Canadian privacy commissioners found that the coffee giant had tracked and recorded the movements of its app users every few minutes of the day, even when the app wasn’t open

Tim Hortons has reached a proposed settlement of a national class action lawsuit involving its app and the collection of geolocation data.

The Canadian coffee giant had been found to have tracked and recorded the movements of its app users every few minutes of the day, Canadian privacy commissioners found in June 2022. This happened even when the app wasn’t open, in violation of the country’s privacy laws, and occurred between 1 April, 2019 and 30 September, 2020.

Tim Hortons sent an email to customers on 29 July detailing that as part of the proposed settlement agreement, eligible app users will receive a free hot beverage and baked good, as shared by James McLeod on Twitter. The company is set to share the details of the distribution of this settlement once it is approved by the court.

Tim Hortons has offered to compensate group members in two areas, without any admission of liability, for the purpose of avoiding trial and the additional costs and expenses related thereto, it said. 

The first is granting each eligible member one credit to be used to purchase one free hot beverage, at the value of $6.19 CAD plus taxes, and one free baked good, at the value of $2.39 plus taxes, from any participating Tim Hortons store in Canada.

The second is that the company said it would take appropriate measures to permanently delete any geolocation data about group members that may be in its possession, and instruct its third-party vendor, Radar Labs, to do the same.

IT Pro has contacted Tim Hortons for comment.

What did the investigation find?

At the start of June, an investigation into Tim Hortons from various privacy commissioners in Canada found that its continual and vast collection of location information was not proportional to the benefits the store may have hoped to gain from better-targeted promotion of its coffee and other products.

The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta carried out the investigation.

“The Tim Hortons app asked for permission to access the mobile device’s geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data,” the commissioners said.

They also found the app used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.

The investigation discovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.

The company said it only used aggregated location data in a limited way, like analysing user trends, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.

The investigation launched in 2020, and while the store stopped continually tracking users’ locations in the same year, the commissioners said that this didn’t eliminate the risk of surveillance. They added that Tim Hortons’ contract with a US third-party location services supplier contained language that was vague and permissive, which would have allowed the company to sell “de-identified” location data for its own purposes.

“There is a real risk that de-identified geolocation data could be re-identified,” warned the commissioners.

“Location data is highly sensitive because it can be used to infer where people live and work, reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more,” they underlined.

Lastly, the investigation revealed that Tim Hortons lacked a robust privacy management programme for the app, which would have allowed the company to identify and address many of the privacy contraventions the investigation found.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Home Office to collect foreign offenders' biometric data using smartwatch scheme
privacy

Home Office to collect foreign offenders' biometric data using smartwatch scheme

5 Aug 2022
UK safety tech sees another year of growth, amidst backlash
business transformation

UK safety tech sees another year of growth, amidst backlash

2 Aug 2022
TikTok to give researchers new API for insight, greater transparency
Business operations

TikTok to give researchers new API for insight, greater transparency

28 Jul 2022
FTC fires warning against sensitive data misuse
Policy & legislation

FTC fires warning against sensitive data misuse

13 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022