The mobile app of Canadian coffee chain Tim Hortons was found to have been tracking people even when it’s off, despite “misleading” the users to think otherwise. It was gathering user data, including their movement, places of living, as well as places of work.
After a thorough investigation by state and provincial authorities, the iconic Canadian brand was found to be breaking the law on mobile tracking and data harvesting.
What’s more, the app generated an ‘event’ every time the user would enter a competitor’s premises, a major sports venue, their home, or their office.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
The initial investigation into Tim Hortons was launched two years ago, and that’s when the company decided to pull the plug on its data harvesting program.
However, it kept a contract with an American third-party location services supplier whose language was “so vague and permissive” that it would have allowed it to sell de-identified location data (opens in new tab), The Office of the Privacy Commissioner of Canada said in a press release (opens in new tab).
The company also said its use of aggregated location data was “limited” to spotting trends, such as whether users switched to other coffee chains, or how the pandemic affected their coffee buying habits.
> Users warned of Microsoft data harvesting (opens in new tab)
> Google under investigation in Australia for large scale Android data harvesting (opens in new tab)
> Facebook sues analytics firm over alleged data harvesting (opens in new tab)
The press release further stated that the app “continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.”
The company behind the app was ordered to delete all remaining location data, as well as to force third-party providers to do the same. It was also ordered to establish and maintain a privacy management program, and report back to the authorities detailing how it plans on staying compliant with the rules and regulations on data privacy.
No financial penalty, though, but the company said it would carry out the orders.
- Remain anonymous online with the best firewalls around (opens in new tab)
Via: Bloomberg (opens in new tab)