Plaintiffs and privacy commissioners are confronting Tim Hortons QSR-T -0.23% decrease over allegations that the fast-food chain violated Canada’s privacy laws by tracking customers via its popular smartphone app.
The tracking capabilities of the Tim Hortons app – which more than one in 10 Canadians use at least once a month – are the subject of legal probes, launched in 2020, that have raised questions about whether the company gathers too much information about its customers through their smartphones.
In addition to four lawsuits, the company faces investigations into its mobile app by four of Canada’s privacy commissioners, who are expected to release the findings of their joint probe in the near future.
“The investigation is ongoing, but in its final stages, and we expect it to be completed very soon,” said Vito Pilieci, a spokesman for the federal Office of the Privacy Commissioner.
Their report could result in orders directing the company to change how it collects data.
Concerns first arose in a 2020 National Post article that revealed the Tims mobile app was capable of constantly tracking users’ movements, even when not actively in use. After that report, the federal Privacy Commissioner teamed up with counterparts in Alberta, B.C. and Quebec to investigate.
The chain’s parent company, Toronto-based Restaurant Brands International Inc., QSR-T -0.23% decrease has faced continuing fallout in the form of four class-action lawsuits launched in British Columbia, Quebec and Ontario. The legal actions all concern “the collection of geolocation data through the Tim Hortons mobile application,” RBI has disclosed in earnings reports.
Tim Hortons is not alone in gathering data on customers through apps. But the lawsuits and investigations allege the fast-food company was not clear enough with customers about the scope of the information being collected.
“Geolocation data can be very sensitive as it can reveal information about the habits and activities of individuals, for example, medical visits or places that they regularly frequent,” the four privacy commissioners said when they launched their probe.
The commissioners’ findings on Tim Hortons could provide valuable information for the lawsuits. “We are eagerly awaiting the report,” said Darryl Singer, a lawyer who has launched actions in Ontario and B.C.
The Tim Hortons mobile app has more than 4.3 million monthly active users and was second only to Amazon among the most used e-commerce apps in Canada as of the end of March, the company’s chief operating officer, Matt Moore, said in a presentation to investors this month.
The lawsuits allege this digital growth has come at a cost to consumer privacy. “The Personal information collected by the Defendants may reveal health issues by identifying the App Users’ visits to health care facilities (such as Cancer wards, fertility, pregnancy, and abortion clinics, plastic surgery clinics, addiction and mental health clinics and others),” reads one of the statements of claim filed in Ontario.
The software was developed by RBI in partnership with Radar Labs, a U.S. company, which is named as a co-defendant in two of the four Canadian class actions.
The lawsuits have been filed by customers who downloaded the app on their phones but say they were not adequately informed about the information it would gather.
The company removed Radar Labs’ geolocation technology from its app in 2020, Tim Hortons director of communications Michael Oliveira wrote in an e-mailed statement. The company is co-operating with privacy authorities, he added, and made changes in June of that year to how it communicates the data its app uses.
“We’ve also strengthened our internal team that’s focused on enhancing best practices when it comes to privacy and data. We’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app,” Mr. Oliveira wrote.
Jurisdictions such as Europe have passed privacy legislation aiming to address the increasingly aggressive data-gathering practices of corporations. In Canada, however, a patchwork of privacy laws remains in place.
The federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, is almost two decades old. The federal government proposed an update in late 2020, which would have put stronger guardrails around the collection, disposal and removal of identifying information from personal data. But the legislation died when last fall’s election was called and has not been reintroduced.
The coalition of privacy watchdogs has also been fighting the spread of facial-recognition software. In 2020, three of the commissioners found that such technology had been unlawfully deployed in 12 Canadian shopping malls. The following year, the four privacy officials found that U.S. company Clearview AI had unlawfully gathered data about Canadians in providing services to police. They ordered Clearview to stop and to purge any data it had collected on Canadians. Clearview is fighting the orders in Canadian courts.
The initiatives by the four privacy commissioners to tackle such issues together is a welcome development, Brenda McPhail of the Canadian Civil Liberties Association said. But such partnerships also highlight how some jurisdictions have lagged in giving privacy officials powers over the corporate sector.
“The negative side is that it means people across Canada have differing levels of privacy protections and different recourse depending on what provinces they are from,” Ms. McPhail said.
SUSAN KRASHINSKY ROBERTSON, RETAILING REPORTER
The Globe and Mail, May 31, 2022