Is Your Medium Double-Double Spying on You?

When dealing with privacy, the user’s consent to the collection, use, and disclosure of data is paramount.

On June 1, 2022, a joint investigation by the Office of the Privacy Commissioner of Canada, Commission d’accès à l’information du Québec, Office of the Information and Privacy Commissioner for British Columbia, and Office of the Information and Privacy Commissioner of Alberta found that the Tim Hortons app was in violation of Canadian privacy laws.

The app asked users for permission to access the mobile device’s geolocation functions, leading users to believe that information would only be accessed when the app was open. However, the app – even when not open – tracked user movements, according to a news release issued by the Office of the Privacy Commissioner of Canada.

The app used the data to infer details about users, including where they lived, worked and travelled. Each time users went to a Tim Hortons competitor, their home, their workplace or a sports venue, the app would generate an “event.”

In 2019, James McLeod, rugged individual and coffee lover, made a request for access to personal information under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Upon a PIPEDA request, an individual is informed of the existence, use, and disclosure of their personal information, given access to that information, and – at the discretion of the organization – the source of this information. McLeod discovered that Tim Hortons had recorded his longitude and latitude co-ordinates more than 2,700 times in less than five months.

Tim Hortons ceased its plans to use the location data for targeted advertising but continued to collect location data for a year thereafter. This did not eliminate the risk of surveillance however, as Tim Hortons had a contract with an American third-party location services supplier that would have allowed the company to sell “de-identified” location data. De-identified geolocation data could be re-identified, the ease of which was detailed in a research report by the Office of the Privacy Commissioner of Canada.

The authorities recommended that Tim Hortons:

1. Delete remaining location data and direct third-party providers to do so as well.
2. Establish and maintain a privacy management program, which would include:
   • impact assessments for apps;
   • ensuring information collection is necessary and proportional to the privacy impacts; and
   • adequately explaining app-related practices.
3. Report back with the measures taken.

Tim Hortons agreed to implement the recommendations.

Michael McEvoy, Information and Privacy Commissioner for British Columbia, stated that “this investigation sends a strong message to organizations that you can’t spy on your customers just because it fits in your marketing strategy. Not only is this kind of collection of information a violation of the law, it is a complete breach of customers’ trust. The good news in this case is that Tim Hortons has agreed to follow the recommendations we set out, and I hope other organizations can learn from the results of this investigation.”

What can users do?

Consumers should do their best to ensure they are only giving businesses as much access as they would like to. Read the terms and conditions and privacy policies of each app or service used.

What can businesses do?

1. Always obtain consent: businesses should be transparent with their policies, allowing the consumer to make an informed choice.
2. Don’t use personal information in a way that is different from what is promised.
3. Ensure information collection is necessary/proportional: one way to mitigate concerns is through anonymization by aggregating the data. However, if businesses do not want to aggregate data, they should adequately disclose what they are going to do with the data and obtain express consent from the user.

The findings from the joint investigation show us how easily data can be collected from users, breaching their trust. In order to be on the right side of both consumers and privacy law, it is paramount that businesses obtain express consent from users and also ensure that the amount of data collected is proportional to its intended use.