DonutGate: The BatS**t Crazy Story Behind Tim Hortons Massive Privacy Violation

The Canadian government recently exposed Goliath donut franchise “Tim Hortons” for massive violations of consumer privacy. Investigators found that the app was tracking users, minute by minute of every day, collecting data and behaviors even when the app was closed and not being used.

The app spied on customers, tracking and watching them at home and work, and alerting the marketing team any time a customer visited competing shops.

cup-of-coffee-and-a-donut-tim-hortons-donut-gate-privacy-commando-small

The data was collected, enumerated, and analyzed by Radar, a third-party tracking company whose user agreement appears to allow customer data to be sold to other marketers.

Tim Hortons donuts are good. Damned good.

But is a half-priced donut really worth giving up your protected right to privacy?

About Tim Hortons and The Tim Hortons App

Tim Hortons calls itself the “Home of Canada’s favorite coffee.” Since its founding fifty-eight years ago in 1964 by famed Canadian hockey player Tim Horton, the company has become a global symbol of all that is Canada. With over four-thousands restaurants, it’s the largest fast-food chain in the nation with twice as many locations than McDonald’s.

And like almost every franchise service around the world, Tim Hortons has a convenient mobile app for your cell phone.

The app makes it easy for customers to order and pay from their phone, access a personalized menu based on their previous order history, and receive valuable rewards like free coffee and donuts after a certain number of purchases.

As far as apps go, it’s what you would expect. But with one big difference.

Tim Hortons and The Office of The Privacy Commissioner of Canada

the-office-of-the-privacy-commissioner-of-canada-logo-small

On June 1 of 2022, the Office of the Privacy Commissioner of Canada published the result of its two-year investigation into the Tim Horton app.

According to Privacy Commissioner Daniel Therrien, “Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance. This case once again highlights the harms that can result from poorly designed technologies as well as the need for strong privacy laws to protect the rights of Canadians.”

Michael McEvoy, the Information and Privacy Commissioner for the Canadian province of British Columbia, further stated “This investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy. Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust. The good news in this case is that Tim Hortons has agreed to follow the recommendations we set out, and I hope other organizations can learn from the results of this investigation.”

The Privacy Commissioner became aware of the app after Financial Post reporter James McCleod discovered that the app “knew where he lived, where he worked, where he vacationed, as well as whenever he walked into certain competing fast-food restaurants.” (James McCleod, “Inside the code: How the Tim Hortons app reveals details on its users” June 15, 2020 https://financialpost.com/technology/inside-the-code-how-the-tim-hortons-app-reveals-details-on-its-users).

James reported that Tim Hortons was secretly collecting the “highly personal” customer data of over four million users, without their permission or knowledge, every few minutes of the day even when the app was closed and not being used.
Canada has some of the strictest privacy laws in the world, even going beyond those of the European Union’s GDPR with fines for businesses that can reach into the tens of millions of dollars.

How The Tim Horton App Violates Canada's Privacy Laws and Puts Consumers At Risk

Until recently, a growing number of businesses in Canada have looked at privacy and the protection of online digital privacy as a commodity to be bought and sold without regard to the consumer, some even treating Canadians as nothing more than marketing beacons.

Tim Hortons’ app, once installed, tracked massive amounts of personal data that was used to follow and surveille the movements of the users, minute by minute. The analyzed data was able to pinpoint the user’s location, determine the user’s home address and where the user works, and was also able to produce pathing data. Pathing data is a compiled map that shows a “target’s” daily movements and regular routines, including stores visited, trips to medical clinics or other personal services, make assumptions and deductions about religious beliefs, sexual preferences, social and political affiliations, and even whether the customer was using and buying competitive products.

The agreement with Radar opened additional privacy concerns whereby Radar could choose to sell user location data to other marketers. Radar assured investigators this was not their intention even though the opportunity was present and contractually permitted.

Most disturbing has been that the Tim Horton app was able to track all of these user behaviors even if the app was closed and off.

BatS**t Crazy Violation Of The Protection Of Your Online Digital Privacy

Fortunately, Tim Hortons had no ill or exploitive intent towards its four million users and the privacy problems are being resolved.

But Tim Hortons is just one of a growing number of businesses around the world that are producing apps and casually tracking private user data.

The privacy risks and implications of apps like these are monumental, and they go well beyond just the annoyance of targeted individualized marketing.

Here’s the Batsh**t crazy part …

For example, Tim Hortons is an international company operating in fourteen countries including Canada, the United Arab Emirates, the United States, China, Philippines, Saudi Arabia, Spain, India, United Kingdom, Thailand, Kuwait, Oman, Doha, and Mexico.

Private confidential “individualized” customer information and data could easily be shared with stores and marketing agencies in each of the countries the business operates in. The private data could also be demanded by or shared directly with governments, government agencies, police agencies, and political organizations. And these types of apps could also be used to track and surveille individuals. All without the user’s permission or knowledge.

Considering the massive volume of data an app like this is able to collect, the sharing of private data about religious beliefs, sexual orientation, or political ideologies and affiliations could put an individual in extreme and dire danger including imprisonment or even death.

The Consequences of The Tim Hortons App and What Tim’s is Doing to Protect Your Digital Privacy

The investigation concluded that Tim Hortons misled its app users. Users believed the app was only active and tracking data when opened and being used.

“In reality, the app tracked users as long as the device was on, continually collecting their location data,” stated Daniel Therrien.

During the investigation, Tim Hortons stated that they originally only wanted to use the information to present its users with promotional offers relevant to their immediate location. However, they ended up using the data, in aggregated form, meaning without directly identifying the customer, to study and understand emerging business trends.

Aggregated data can still reveal personal details and identification through a process called re-identification.

Tim Hortons has agreed to delete the collected location data and redesign its app. In return, the company will not face any penalties or fines.

How Can You Protect Your Privacy from Apps That Don't Behave?

If you’re interested in protecting your online and digital privacy and protecting your online anonymity, Privacy We recommends you begin by asking if you really absolutely must have and can’t live without the app.

Is a donut really worth giving up your right to privacy and allowing businesses and governments to track your entire world-wide life non-stop?

Probably not. Especially considering that you can just walk into the store and walk out with a dozen donuts within a few seconds, no questions asked. Leave your phone at home.

how-can-you-protect-your-privacy-from-apps-that-do-not-behave-donuts-the-privacy-commando

Don’t install apps you don’t really need. And think carefully about the ones you do.

Sharing is Caring!

If you like this article, please help us by sharing it with friends on your favorite network

Facebook
Twitter
LinkedIn
Pinterest
Reddit
StumbleUpon
Telegram
WhatsApp
Email
Print

If You Like This Story, Check One Of These Stories Next ...