Tim Hortons’ App Under Investigation for Privacy Concerns

Tim Hortons restaurant

Tim Hortons is being investigated by Canadian privacy authorities. Earlier this month, some concerns were raised about one of Canada’s most popular restaurant chains. A reporter found out that Tim Hortons was collecting data in the background in its app. Canadian privacy watchdogs are now investigating whether this data collection was legal.

Two weeks ago, the Financial Post published an article about the fact that Tim Hortons’ mobile ordering app was tracking the movements of its customers. James McLeod, a reporter for the Financial Post, looked into his own data. He found out that the app had been logging his coordinates for months without him knowing about it. He had never consciously given consent for this.

The app knew where his home and workplace were located, which makes sense since it needs to know a users’ location to route an order to the nearest restaurant. But the app also knew where he had gone on vacation and when he had visited a competitor’s restaurant. All of this data was sent to the company’s corporate servers, which was then sent to an American company that analyzed the data.

McLeod had put in a request with the restaurant chain to look into his data, which is his right under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian version of the GDPR.

Tracking in the Background

The app was not just tracking his location when he was using it, but also in the background. Even when he hadn’t used the app for days. Tim Hortons’ chief corporate officer Duncan Fulton said that anyone who installs the app and gives it access to the GPS on their phone has consented to this type of tracking. But the FAQs in the app tell users that it will only track your location “when you have the app open”.

“We absolutely agree that our FAQ on location data could have been more clear,” Fulton said. The statement in the FAQs has since been removed and replaced with another one. It now states that you need to look into your phone’s settings to make sure that “they reflect your preference”.


On Monday, four Canadian privacy watchdogs announced that they are launching an investigation into the data collection of the app. The privacy commissioners said they “will look at whether the organization is obtaining meaningful consent from app users to collect and use their geolocation data for purposes which could include the amassing and use of detailed user profiles, and whether that collection and use of the data is appropriate in the circumstances.”

Fulton has stated that the company will fully cooperate with the investigation. The company has also stopped the data collection in the background. But it is still saying that it had people’s consent to track their location. The company wrote in an e-mail that its “guests always had the choice of whether they share location data with us, including ‘always’ sharing location data – an option offered by many companies on their own apps”.

Ann Cavoukian, a privacy advocate, has spoken out against this. “No one had the expectation that this information was being collected and retained — the cell phone geolocation data. It’s absurd to think that people were consenting to that,” she said.

Geolocation Data

The privacy commissioner’s office said that it “considers this to be an issue of great importance to Canadians, given the privacy issues it raises. Geolocation data can be very sensitive as it can reveal information about the habits and activities of individuals, for example, medical visits or places that they regularly frequent.”

And the investigation into Tim Hortons’ app isn’t the only one of its sort. Last month, the state Arizona sued Google for collecting location data without users consent. Currently, privacy concerns are being fore fronted in the media. Especially now that so many governments are trying to track the Covid-19 virus with various apps. They want to know where people go and who they are in contact with, to keep them safe and healthy.

The downside to this is that it limits people’s privacy and allows the government to monitor them. People want to know how far governments and companies can go in tracing them. In a move to reduce concerns, Apple and Google have made a statement that they will switch off their Corona trackers once the pandemic is over. But that could take months, if not more.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of VPNoverview.com. Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.