PIPEDA Findings #2022-001: Joint investigation into location tracking by the Tim Hortons App
A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.
- Collection and use of granular location data for an appropriate purpose
- Obtaining valid consent for location data collection
- Adequacy of contractual protections for data processed by third parties
- Tim Hortons' accountability for privacy practices
Complaint well-founded and conditionally resolved
Tim Hortons failed to demonstrate a legitimate need for the vast amounts of sensitive location data collected, and the privacy intrusion was not proportional to any potential benefits. Consent was invalid due to misleading information about when data was collected and a failure to adequately inform users of the consequences.
AI-generated summary for reference only. Always verify against the official decision ↗
Tim Hortons agreed to delete all collected granular location data and to establish and maintain a privacy management program for its apps, including conducting privacy impact assessments.
- s. 5(3) PIPEDA
- Principle 4.3 PIPEDA
- s. 6.1 PIPEDA
This summary is for informational purposes only and does not constitute legal advice.