In response to inquiries from the Financial Post, privacy commissioners’ offices at the federal level and in British Columbia said they’re looking into the Tim Hortons app. Quebec’s privacy commissioner also said it is concerned about the issue and analyzing the situation.“What we can say is that this raises serious concerns and we will be contacting Tim Hortons,” a spokesperson for federal privacy commissioner Daniel Therrien said in an email.A spokesperson for the Office of the Information and Privacy Commissioner of B.C. said in an email, “Our office is aware of the persistent location tracking in the Tim Hortons app as reported by media, and will be looking into the issue in more detail. We also encourage anyone with privacy concerns about this mobile app to submit a complaint to our office.”
real-time geolocation information." Different data, different rules The FCC has previously said that any location data in the National Emergency Address Database (NEAD) "may not be used for any non-911 purpose, except as otherwise required by law." That's a stronger protection than what the FCC applies to other forms of Customer Proprietary Network Information (CPNI).
Tim Hortons chief corporate officer Duncan Fulton said in an emailed statement that the app gets consent from users because they allow the app to access location services on the phone.“Like all apps on iOS and Android, guests receive notice and must provide their permission — their express consent — before our app can access the location of their device,” he said.
Two lawyers who spoke to the Financial Post said the law is pretty clear on collecting personal data in Canada, and simply asking for location permission isn’t enough to get consent. However, both lawyers said that enforcement of the letter of the law is often lacking.“Companies need to be forthright in advance about what they’re proposing to do with your information, and they have to get consent, and that consent has to be based on you understanding what is going on,” said David Fraser, a lawyer at McInnes Cooper in Halifax who specializes in privacy issues. “If they don’t explain those purposes, they would be offside the legislation.”
The federal privacy commissioner has issued guidelines on what constitutes meaningful consent under Canada’s data privacy laws, and the document specifically addresses location data.
“If there is a use or disclosure a user would not reasonably expect to be occurring, such as certain sharing of information with a third party, the downloading of photos or contact lists, or the tracking of location, express consent would likely be required,” the document said.Fraser said that granting an app permission to access the GPS device on a user’s phone is not the same as consenting to location tracking.
AT&T then falsely stated it had suspended Securus’ and other aggregators’ access to customer data, the plaintiffs say, but just a few days later, a Motherboard article reported the carrier was selling customers’ phone locations to car salesmen, bail bondsmen, landlords and bounty hunters for as little as $7.50.
“On an iOS device or an Android device, an app is not able to find out your location unless you’ve given permission to the operating system to access your location information,” he said. “There’s a decision from the privacy commissioner of Canada that app permissions do not equal consent.”
Bill Hearn, a partner at Foglers Rubinoff LLC in Toronto, offered the same interpretation of Canada’s Personal Information Protection and Electronic Documents Act.
App permissions do not equal consentDavid Fraser
“I’m not picking on Tim’s, but industry has arguably flouted some of Canada’s consent and privacy requirements because the consequences were really not meaningful, and that there was not deterrence,” he said.
Hearn said the federal privacy commissioner has been asking for tougher enforcement powers for years, but at the moment the watchdog has a loud bark, but not much bite.He added that the Competition Bureau has been able to enforce penalties against companies when they mislead consumers about their data collection practices, essentially on the grounds of false advertising.In a lengthy statement to the Financial Post, the Competition Bureau said it couldn’t confirm if it was looking at the Tim Hortons app.
How to Reclaim Your Privacy
“From the Bureau’s perspective, the harm occurs when companies use deceptive practices that prevent Canadian consumers from making informed decisions about the personal information they share and with whom,” the statement said.“As the Bureau is required to do a complete and thorough review of all facts of a case before reaching any conclusion, I cannot confirm whether the conduct described in your enquiry would raise concerns under the Competition Act. We strongly encourage anyone who feels they have been misled by privacy claims to file a complaint with the Bureau.”