Tim Hortons mobile app illegally tracked users

Tim Hortons mobile app
(Image credit: Shutterstock.com / Thamyris Salgueiro)

The mobile app of Canadian coffee chain Tim Hortons was found to have been tracking people even when it’s off, despite “misleading” the users to think otherwise. It was gathering user data, including their movement, places of living, as well as places of work. 

After a thorough investigation by state and provincial authorities, the iconic Canadian brand was found to be breaking the law on mobile tracking and data harvesting.

What’s more, the app generated an ‘event’ every time the user would enter a competitor’s premises, a major sports venue, their home, or their office.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Vague language

The initial investigation into Tim Hortons was launched two years ago, and that’s when the company decided to pull the plug on its data harvesting program.

However, it kept a contract with an American third-party location services supplier whose language was “so vague and permissive” that it would have allowed it to sell de-identified location data, The Office of the Privacy Commissioner of Canada said in a press release

The company also said its use of aggregated location data was “limited” to spotting trends, such as whether users switched to other coffee chains, or how the pandemic affected their coffee buying habits. 

The press release further stated that the app “continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.”

The company behind the app was ordered to delete all remaining location data, as well as to force third-party providers to do the same. It was also ordered to establish and maintain a privacy management program, and report back to the authorities detailing how it plans on staying compliant with the rules and regulations on data privacy. 

No financial penalty, though, but the company said it would carry out the orders.

Via: Bloomberg

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.