A recent investigation report into Tim Hortons, co-authored by the Office of the Privacy Commissioner of Canada (“OPC“), Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner of Alberta, and Office of the Information and Privacy Commissioner of British Columbia (collectively, the “Commissioners“) has prompted renewed and pressing calls for change in Canadian privacy law.

The Report’s findings have prompted calls for monetary penalties against companies engaged in privacy breaches. Outgoing federal Privacy Commissioner Daniel Therrien has been vocal about his concerns that the OPC’s inability to impose financial penalties is recognized as a limit on its authority and power.

On June 1, 2022, shortly after the Report was released, a spokesperson for the federal minister of innovation, science and industry, François-Philippe Champagne, commented on the need to enhance privacy protection in Canada and stated that he would be introducing a “digital charter” in the next few days.

On the same date, speaking with reporters before convening for daily question period in the House of Commons, Prime Minister Justin Trudeau emphasized the need for urgent improvements in Canada’s privacy laws. Underlining the Federal Government’s priorities, Trudeau said, “We’re always looking at how to improve the privacy of Canadians. That’s an issue that we’ll take a look at.”

A video of the full comments is available on the CPAC YouTube channel.

The Report

Following the publication of a June 12, 2020 National Post article titled “Double-double tracking: How Tim Hortons knows where you sleep, work and vacation“, the Commissioners conducted a joint investigation on the use of location tracking by Tim Hortons’ mobile app (the “App“) offered by the Canadian operator and franchisor of Tim Hortons, The TDL Group Corp. and its parent company Restaurant Brands International (collectively, “Tim Hortons“).

The App is operated by a third-party service provider based in the United States (“Radar“).

On June 1, 2022, the Commissioners released a Report of their findings under Canada’s Personal Information Protection and Electronic Documents Act, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, Alberta’s Personal Information Protection Act, and British Columbia’s Personal Information Protection Act (collectively the “Privacy Acts“).

The Commissioners found significant concerns with:

  • the amount and type of information collected;
  • Tim Hortons’ lack of transparency in collecting and using that information;
  • Tim Hortons’ contractual safeguards over user data in the provisions of its contract with its third-party service provider; and
  • Tim Hortons’ lack of adequate privacy policies.

The App requested user permission to use mobile device geolocation functions to collect users’ GPS location information. The App’s “FAQs” (and the permission request on the Android platform version of the App) misled users to believe the App only collected geolocation data while the App was activated. In fact, the App collected users’ geolocation information every 2.5 or 6 minutes, depending on which version of the app they had downloaded, at all times when their mobile device was activated, regardless of whether the App was open.

The data was used to infer where individuals lived and worked and generated an ‘event’ when users travelled, attended a professional sports event, or entered or left a Tim Hortons competitor.

Tim Hortons’ stated purpose for the collection of information was for targeted advertising and promotion of coffee and other products, and to enhance the in-app user experience. The OPC found that in fact the App was not used for this purpose. The information was instead used in the aggregate to conduct analytics related to user trends.

The Commissioners noted that although targeted advertising can be an appropriate purpose for the collection, use, and/or disclosure of personal information under the right circumstances, a reasonable person would not consider Tim Hortons’ purpose to be appropriate. There was no need to collect vast amounts of sensitive location information when that information was not used for its stated purpose, and where the consequences of the App’s collection of data, the vast majority of which occurred when the App was not in use, resulted in a loss of user privacy that was not proportional to any potential benefits Tim Hortons may obtain through targeted promotion of its coffee and associated products.

The Commissioners found that Tim Hortons had not obtained valid consent because it failed to inform users that location data would be collected when the App was not in use, and in fact had misled users on that point and failed to ensure that they understood the consequences of consenting to the continual collection of granular location data whether or not the App was open. The Commissioners also noted that even if consent had been obtained with adequate knowledge, users cannot provide valid consent when the purpose for the collection, use, and disclosure of personal information is not appropriate, reasonable, or legitimate within the meaning of the Privacy Acts.

The Commissioners found location data to be highly sensitive because it can be used to:

  • infer where people live and work;
  • reveal trips to medical facilities, which could further lead to inferences of medical treatments obtained by users;
  • made deductions about religious beliefs;
  • make deductions about sexual preferences;
  • make deductions about political affiliations;
  • and more.

Although Radar confirmed that the location data was aggregated and de-identified, the Commissioners determined that this de-identified geolocation data could be “re-identified” with the use of a unique identifier and also found that precise tracking over time, coupled with other data, can create comprehensive profiles of individuals used for targeted advertising and marketing. Further, the Commissioners noted that de-identified location information can be personal information under the Privacy Acts.

The Commissioners found that the contractual provisions between Tim Hortons and Radar were vague and permissive and would allow for Radar to sell de-identified data location for its own purposes, if it desired. Radar confirmed, and the Commissioners accepted, that this did not occur.

Last, the Commissioners also found that Tim Hortons had failed to implement policies and practices to ensure compliance with the Privacy Acts. This was demonstrated in the vague and permissive contractual language, as well as the misinformation in the FAQs and difference in information provided between Android and iOS platforms.

Commissioners’ Recommendations

Following its investigation, the Commissioners made the following recommendations, which were agreed to by Tim Hortons:

  1. Delete remaining location data and direct third-party service providers to do the same;
  2. Establish and maintain a privacy management program that:
    1. includes privacy impact assessments for the App and any other apps it launches;
    2. creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; and
    3. ensures that privacy communications are consistent and adequately explain app-related policies;
  3. Report back with details of measures it has taken to comply with the recommendations.

Takeaways

The case provides a useful reminder to businesses collecting individuals’ personal information about the following principles:

  1. Proper Purpose: Companies must ensure that the purpose for the collection of personal information is proportional to the benefit obtained by the company. Any infringement on privacy must be proportional to that benefit.
  2. Consistency and Transparency: The stated purpose for the collection of personal information must be consistent with the actual use of that information. Companies must be transparent and accurate about why they are collecting personal information and how it is being used. Such statements should be consistent across all platforms.
  3. Informed Consent: Companies must obtain valid, informed consent for collection. This requires transparency and accuracy in the stated purpose for the collection and use of personal information.
  4. Contractual Safeguards: Contracts with third-party service providers that collect or obtain personal information must adequately protect that information and the individuals providing it. Contracts must ensure compliance with relevant privacy legislation. The more sensitive the information collected, the more robust this protection should be.
  5. Privacy Policies: Companies must adopt and follow adequate privacy policies in place to ensure ongoing compliance with relevant privacy legislation and proper protection of personal information collected, used, and/or stored by the company.