Tim Hortons 'offers free coffee and donut' to app users to settle data lawsuit

Tim Hortons has reached a proposed settlement of a national class action lawsuit involving its app and the collection of geolocation data.

The Canadian coffee giant had been found to have tracked and recorded the movements of its app users every few minutes of the day, Canadian privacy commissioners found in June 2022. This happened even when the app wasn’t open, in violation of the country’s privacy laws, and occurred between 1 April, 2019 and 30 September, 2020.

Tim Hortons sent an email to customers on 29 July detailing that as part of the proposed settlement agreement, eligible app users will receive a free hot beverage and baked good, as shared by James McLeod on Twitter. The company is set to share the details of the distribution of this settlement once it is approved by the court.

Tim Hortons has offered to compensate group members in two areas, without any admission of liability, for the purpose of avoiding trial and the additional costs and expenses related thereto, it said.

The first is granting each eligible member one credit to be used to purchase one free hot beverage, at the value of $6.19 CAD plus taxes, and one free baked good, at the value of $2.39 plus taxes, from any participating Tim Hortons store in Canada.

The second is that the company said it would take appropriate measures to permanently delete any geolocation data about group members that may be in its possession, and instruct its third-party vendor, Radar Labs, to do the same.

IT Pro has contacted Tim Hortons for comment.

What did the investigation find?

At the start of June, an investigation into Tim Hortons from various privacy commissioners in Canada found that its continual and vast collection of location information was not proportional to the benefits the store may have hoped to gain from better-targeted promotion of its coffee and other products.

The Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta carried out the investigation.

“The Tim Hortons app asked for permission to access the mobile device’s geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data,” the commissioners said.

They also found the app used location data to infer where users lived, where they worked, and whether they were travelling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.

The investigation discovered that Tim Hortons continued to collect vast amounts of location data for a year after shelving plans to use it for targeted advertising, even though it had no legitimate need to do so.

The company said it only used aggregated location data in a limited way, like analysing user trends, whether users switched to other coffee chains, and how users’ movements changed as the pandemic took hold.

The investigation launched in 2020, and while the store stopped continually tracking users’ locations in the same year, the commissioners said that this didn’t eliminate the risk of surveillance. They added that Tim Hortons’ contract with a US third-party location services supplier contained language that was vague and permissive, which would have allowed the company to sell “de-identified” location data for its own purposes.

“There is a real risk that de-identified geolocation data could be re-identified,” warned the commissioners.

“Location data is highly sensitive because it can be used to infer where people live and work, reveal trips to medical clinics. It can be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more,” they underlined.

Lastly, the investigation revealed that Tim Hortons lacked a robust privacy management programme for the app, which would have allowed the company to identify and address many of the privacy contraventions the investigation found.