The Tim Hortons mobile app has caught the eye of the Canadian Privacy regulator.
An investigation is to be conducted by the Canadian Privacy Authorities to assess whether consent to allow location monitoring was properly received by their mobile app.
On the face of it, small beer (or coffee) and something just for the Canadians to get excited about. However, dig a little deeper into what is being conducted by this app, and we can see that it has implications not only in California (where you can actually use the app), but also across every Privacy regulator globally, for all apps using similar methods.
The mechanics of the application were exposed by a privacy data access request under PIPEDA (Canadian Privacy legislation). Tim Hortons did indeed provide volumes of user data in response to the data access request, that included the identification of the users home, where they work, every time they went anywhere near a competitor, their daily routine, pretty much tracking all activity at 3-5 minute intervals.
The Tim Hortons mobile app uses an API provided by Radar Labs Inc.
This is an interesting concept for a company that can provide you with all the tools you need to create a forensic analysis of an individual’s behaviour. The API can certainly be used in a highly non-compliant way in terms of the GDPR.
With the help of a number of integrations, the Radar Labs Inc API can provide an end-user application with massive data aggregation and de-anonymisation capabilities, taking discrete datasets and attempting to map identical end-user behaviours to multiple devices and user IDs.
Clearly this kind of functionality needs to come with a health warning to the app developer about how to avoid creating such application privacy mishaps.
Tim Hortons in their defence claim that they are only doing what everyone else does, and they are not at the cutting edge of this technology. Certainly, this is the case when it comes to the data privacy of its customers.