A joint investigation by four Canadian privacy regulators has found that the way Tim Hortons’ mobile app tracked and recorded its users’ locations to be in violation of Canadian privacy laws.

Nearly two years ago, the Office of the Privacy Commissioner of Canada (OPC) announced it was launching an investigation into how Tim Hortons’ mobile app tracked, collected and used location data. The investigation was conducted in collaboration with privacy commissions in Quebec, Alberta and British Columbia.

It started after National Post reporter James McLeod published a story based on data he had obtained about how the app had tracked his location. He found that his location had been recorded more than 2,700 times in less than five months – including when he wasn’t using the app, which was contrary to what the company said would happen on its own website.

Released Wednesday morning, the investigation found that users had their movements tracked and recorded “every few minutes of every day.” While the app asks for permission to access a mobile device’s geolocation data, the OPC said it “misled many users to believe information would only be accessed when the app was in use,” when the tracking actually occurred as long as a device was powered on.

The app used this location data to infer where users lived and worked, as well as if they were travelling away from either of those locations. It also generated and tracked “events” that were unrelated to their Tim Hortons purchases, including when they entered or left a Tim Hortons competitor or a sports venue.

The OPC also took issue with the fact that Tim Hortons continued to collect data even though it had ended plans to use it for targeted advertising, as it did not have a need to do so.

Tim Hortons said it only used aggregated data that could not be tied back to a specific user as a way to analyze consumer trends, and had stopped the practice after the investigation was launched.

However, the OPC found that even though the data collection may have stopped, a contract with a U.S.-based third-party location services supplier contained language “so vague and permissive” that it left the door open for this company to sell the location data for its own purposes.

Though not named in the investigation, the app was developed with assistance from Radar Labs. Tim Hortons removed Radar Labs’ technology from the app in 2020.

In its report, the OPC also pointed out that even “de-identified” data still has a heavy risk of being used to “re-identify” the person it came from, especially when it comes to location data, citing findings from a report it released in 2014. Beyond being able to determine where people live and work, location data can be used to ascertain people’s medical conditions, religious beliefs, sexual orientation and political affiliations, all of which can narrow down a data set and tie it back to a particular individual.

“This investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy,” said Michael McEvoy, information and privacy commissioner for British Columbia, in a statement. “Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust.”

Finally, the investigation found that Tim Hortons didn’t have a “robust” privacy management program to manage the app, which the OPC says would have helped Tim Hortons identify and fix the issues the investigation found.

“This case once again highlights the harms that can result from poorly designed technologies, as well as the need for strong privacy laws to protect the rights of Canadians,” said Daniel Therrien, privacy commissioner of Canada.

The privacy authorities issued several recommendations for Tim Hortons, which they say the QSR has agreed to.

Tim Hortons will establish and maintain a privacy management program that includes privacy impact assessments for its app, as well as any new apps it launches in the future. The program will also include a process that ensures information collection is “necessary and proportional” to the privacy impacts it will have. It will also uphold that any communications related to privacy adequately and accurately explain any app-related practices.

The restaurant will also delete the remaining location data it still has, and direct its third-party service providers to do the same. Tim Hortons must also provide a report on the details of measures it has taken to comply with the recommendations.

There were no financial penalties given, as the OPC lacks the authority to issue fines. However, four class-action lawsuits have been launched against Tim Hortons in Canada related to data and location tracking.

Tim Hortons says it has begun work on implementing the recommendations, including changes to how it communicates to app users that were already made in 2020.