LawsonInsight

Protecting Your Privacy: The Tim Hortons Data Tracking Controversy

Lawson Lundell Season 1 Episode 24

On Episode 24: Protecting Your Privacy: The Tim Hortons Data Tracking Controversy Mark Fancourt-Smith and Alix Stoicheff speak with Privacy and Data Protection Lawyer  Ryan Berger about how the Tim Hortons app collected too much personal information and tracked individuals’ locations without appropriate consent; how the government responded; and, how companies can protect themselves against similar issues.

Mark Fancourt-Smith  00:00
The first line of his article sort of stuck with me when he said, “I never would have consciously volunteered my home address, work location and vacation plans to Tim Hortons, but the company found out anyway.”

Mark Fancourt-Smith  00:25
Welcome to LawsonInsight. My name is Mark Fancourt-Smith and I'm a partner in the dispute resolution group and Lawson Lundell’s Vancouver office.

Alix Stoicheff  00:33
And my name is Alixandra Stoicheff and I'm an associate also in the dispute resolution group, but in the firm's Calgary office.

Mark Fancourt-Smith  00:38
In 2020, a journalist, James McLeod, at the Financial Post, made an access to information request under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) from Tim Hortons. Despite only providing the Tim Hortons app, that he had downloaded, permission to use the location functionality of his phone while the app was in use, he found out that the app had been collecting user location data as frequently as every few minutes of every day, even when the app wasn't open. That discovery ultimately led to an interesting story he put out, but also to a recent report jointly authored by the Office of the Privacy Commissioner of Canada and the Private Sector Privacy Authorities of Quebec, Alberta and British Columbia. Ryan Berger joins us to chat about those findings today.

Alix Stoicheff  01:21
And Ryan Berger is a partner in the firm's Vancouver office and he specializes in privacy law and employment law. So welcome to the podcast Ryan.

Ryan Berger  01:30
Hi, everyone. Great to chat with you.

Mark Fancourt-Smith  01:32
Welcome back I should say, this is your fourth time joining us now. So thank you for the continued intelligence.

Ryan Berger  01:37
We'll have to stop counting.

Alix Stoicheff  01:40
So Ryan, what can you tell us about the report that was issued just a couple of weeks ago here now, what it had to say about Tim Hortons data tracking?

Ryan Berger  01:50
Tim Hortons had engaged a third party to assist it in tracking location data of its users for the purposes of being able to serve them with targeted advertising and offers depending on where those individuals were going. Tim Hortons also had it set up so that it would specifically track information where individuals went near competitors, restaurants, locations like KFC and Starbucks, and the like, to measure what sort of activity and loyalty its customers had. Following this story, Tim Hortons turned off a number of these features and when it went to the privacy commissioners, they took a look at the type of data collection that Tim Hortons was doing, and said that this was not proportional to the potential benefits the company hoped to gain from targeted advertising. That the location data was quite rich, particularly when collected over time and so was pretty sensitive in that way was disproportionate to the benefits and was not reasonable as required under Canadian privacy laws.

Alix Stoicheff  03:06
And, Ryan, my understanding, generally of access to information laws is that typically, you're only allowed to use them, or you're only able to use them to request information from public bodies. But I understand that here, he was able to request this information from a private actor, Tim Hortons, because there's specific provision for that in PIPEDA, right?

Ryan Berger  03:28
Yes, so PIPEDA and the three other provincial private sector privacy laws, so those are in Alberta, British, Columbia, and Quebec, all provide rights to individuals to request access to their own personal information held, collected, used or disclosed by organizations. And so James McLeod took advantage of that right, to make an access request for his own personal information. And apparently, Tim Hortons provided him with the, with the data from which he could determine the latitude and longitude information that they had collected, as well as what the service provider called insights. So they had developed some system in which they could determine the likelihood of the individuals location of their home and office and they also had pinpointed latitude and longitude for their competitors. And so that JavaScript also indicated where, when, for instance, Mr. McLeod had either gone home, left home, gone to the office, left the office, or was traveling or near one of their competitors, or Tim Hortons location.

Mark Fancourt-Smith  04:51
The first line of his articles sort of stuck with me when he said, I never would have consciously volunteered my home address, work location and vacation plans to Tim Hortons. But the company found out anyway. And so this, it made me think of a couple of questions. On the one hand, they do give something to the consumer in terms of targeted advertising things you may be interested in benefits, discounts, and so on. But they collect much, much more the information that they're providing to the companies, about the customers may go far beyond what the customer thinks. But it may not go further than the license agreement, which nobody reads. And we all click on when we download these apps and sort of put it to back of mind. And what that made me want to ask you is, you know, to what extent can the company stand behind the license agreement? With the app in defense to these kinds of things? Is there an ability, in other words to contract out of privacy legislation?

Ryan Berger  05:48
So with respect to contracting out, the answer essentially, in Canada is no. Our courts treat privacy legislation for the most parts, in a similar way to other consumer protection legislation, and do not allow individuals to sign away their privacy rights. But I think we need to be clear about it, because Canadian privacy laws are, I suppose, underpinned by the concept of consent. So there's from a legal perspective, I think of it as two hurdles that an organization has to meet. The first is, is the nature of the collection use and or disclosure reasonable and legal under Canadian privacy laws? If it's not, then you really can't go any farther. But if it is, then the organization still as obligated to get some form of consent from the individual. And that then leads to the question of if that language is buried in small print in a terms of use or privacy policy, is that consent effective? And that's something I think that we have to still figure out definitively in Canada and how that works. For the most part, organizations do rely on terms of use license agreements and privacy policies to obtain consent, whether that's expressly or an implied consent usually, essentially is an opt out form. But there's still, I think, a real question about whether there is fully informed consent in those cases. And I think a lot of organizations rely on an opt out or an implied consent where the app or the website collects and uses information in a way that one would reasonably expect. So for example, if you have the Tim Hortons app, and you use it to order a coffee at a particular location, you might reasonably expect it to collect your order details and your proximity to that location. So it can determine when it needs to have your order ready. And they'll rely on that for implied consent to collect and use that information.

Mark Fancourt-Smith  08:20
One thing which I found interesting, was the order in which the questions are asked first, the question is, is this reasonable? Is it necessary? And secondly, is there consent and it reminds me of commentary that has said companies like Facebook, like Google could only have evolved in The States where choice is paramount? And the data was there to be accessed before the question of is it reasonable, unnecessary?

Ryan Berger  08:42
Yeah, I think that's right. To me, it goes to fundamental questions of who we are as a society and the values that we hold. And I find that in Canada, we're in a really fascinating position, as you say, individual autonomy and your right to make your own decisions seems to be the prevailing value in the United States, including as between individuals and social media giants and others. In contrast, across the pond in Europe, they've determined that they value a right of privacy overall. And that's a fundamental right, in Europe that comes first. And I think in Canada, our laws fall on the right to privacy side, and we have certainly have some court decisions that talk about a quasi-constitutional right of privacy. And the way our laws are drafted with this reasonableness standard, certainly have been interpreted as a rights based regime. But I think it's far from clear, and I think we ought to have more of a public debate about it and what it means because we sure are influenced by the commercial realities in the United States. And I think society's perspective we get a lot of pressure there. And if we want to have a rights based regime, when it comes to our personal privacy, we need to do some thinking about it. And we need to protect it.

Alix Stoicheff  10:11
And so Ryan, if you are a company that say you're coming from another jurisdiction into Canada, maybe from the US into Canada, you're used to a different regulatory or legal sphere there, and you're bringing your brand new, shiny app here to Canada. What are some of the top things that you're thinking about when you're designing that app in order to make sure that it's in compliance with Canadian regulations and standards and expectations? I'll put it broadly like that.

Ryan Berger  10:37
Yeah, that's great. And it's always a bit of an interesting discussion, because privacy is very under regulated to date, in the United States, companies that have been operating the United States tend not to consider in the first place any limitations on what they can collect, use, or disclose, aside from what their customers will click to agree. So sometimes it's a little bit of an education process. And we certainly have been helped by the European laws GDPR, which is well known in privacy spheres. And if organizations in the United States are looking at a global kind of rollout, they certainly have their eyes on GDPR. And so often, we can sort of couch the discussion in those terms, and talk about how Canadian laws tend to align with GDPR. And perhaps where they don't. But you know, the first part of the discussion is that there are rights that Canadians have when it comes to the protection of their personal information, rights to consent and opt out and to access that American organizations aren't necessarily familiar with and will need to think about sometimes the use cases to start off with, are the privacy interests appropriately balanced, and do they meet Canadian legal requirements to start with? And then there are a series of compliance measures as well, that will work with companies on do they have the right kind of transparency in their policies? Did they have the right agreements with third parties and organizations that are helping them process information or, or otherwise, and then what kind of security and breach reporting mechanisms do they need to have set up to comply with Canadian law?

Alix Stoicheff  12:37
Interesting. And I should also add that for anyone who's listening and is interested in either learning more about the issue that got us all interested in this, which was James McLeod's article in the Financial Post from June 2020, or the joint report that was issued on June 1, 2022; you can go to a blog that Ryan and summer student, Amit Chandi, authored called “Tim Hortons’ Data Tracking Scandal – What Can We Learn?” And that's on Lawson Lundell’s websites and there's links to the report into the article there as well.

Mark Fancourt-Smith  13:11
Ryan, thanks so much for coming on the podcast and as I said, next time you get the smoking jacket for a five time club.

Ryan Berger  13:17
I’ll bring the smokes.

Mark Fancourt-Smith  13:21
Thanks again.

Ryan Berger  13:22
Pleasure. Talk soon.

Alix Stoicheff  13:23
Thanks, Ryan.

Ryan Berger  13:24
Thanks.