This Coffee Company’s Been Spying on Customers With Its App, According to the Canadian Government

This Coffee Company’s Been Spying on Customers With Its App, According to the Canadian Government
Tim Horton cafe in Manhattan. (Photo: Spencer Platt / Staff, Getty Images)

Canadian regulators on Wednesday found that Tim Hortons — a popular fast-food chain owned by the same multinational company as Burger King — changed its mobile app in 2019 to track and collect sensitive location data on its customers.

An investigation led by Canada’s privacy commissioner found that, indeed, with the help of a U.S.-based company called Radar, Tim Hortons was able to collect data on its customers’ locations “as often as every few minutes.”

Regulators found the collection, described as “continual and vast,” ultimately served no legitimate purpose, and was “not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.”

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance,” Privacy Commissioner of Canada Daniel Therrien said.

The government investigation into the company began in 2020 after a journalist at the Financial Post claimed the Tim Hortons app had recorded his GPS coordinates over 2,700 times in five months. The tracking occurred even when the app was not in use, the journalist, James McLeod, said.

Among many other locations, the app tracked McLeod each time he visited his parent’s farm in rural Ontario, while he was boarded a flight in Toronto and when he checked in to a Winnipeg hotel for a cousin’s wedding. “It bothered me,” McLeod wrote. “How many more times had Tim Hortons checked in on me? Was my coffee-ordering app tracking all my movements?”

In a statement, Tim Hortons underscored that the privacy commissioners’ report does not recommend any changes to its current app. After the Financial Post’s story, the company “proactively removed the geolocation technology,” it said.

“The very limited use of this data was on an aggregated, de-identified basis to study trends in our business — and the results did not contain personal information from any guests,” the company said.

“This investigation sends a strong message to organisations that you can’t spy on your customers just because it fits in your marketing strategy,” said Michael McEvoy, British Columbia’s information and privacy commissioner. “Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust.”

Phone makers have taken recent strides to stop unscrupulous app developers from farming location data. In April 2021, Apple introduced an update that gave users the option of preventing apps from tracking their locations and sharing that information with third parties.

Roughly two-thirds of iPhone users opted out of tracking when presented with the option, according to an October report by the analytics firm AppsFlyer.