No Coffee Breaks from Privacy Compliance - A Cautionary Tale for App Developers

  • July 11, 2022
  • Roland Hung and Ida Sherkat, Torkin Manes LLP

In an effort to engage with customers on a deeper level, companies are increasingly investing time and resources into developing and improving their mobile applications.  Mobile applications can increase customer engagement and promote long-term business growth by making a company’s products and services more accessible to the customer and driving brand loyalty.

This article highlights that navigating this unique technological space requires companies to be aware of the consequences of potential boundless tracking of their app users and to ensure they are compliant with Canadian privacy laws.

Background

On June 1, 2022, the Office of the Privacy Commissioner of Canada (the “OPC”) released their findings from an investigation launched into the location tracking function of the Tim Hortons app. The May 2019 versions of the app made use of Radar, a third-party service provider, to collect GPS location data that enabled Tim Hortons to infer the homes, places of work, travel and competitor visiting habits of the app users (“App Users”). Device locations were tracked as often as every few minutes for this purpose, even in circumstances where user permission requests were made on the basis of location only being tracked while the app was opened. In fact, the app was found to track the exact location of an individual more than 2,700 times in less than five months, including tracking in destinations around the world where Tim Hortons does not operate.

Tim Hortons identified that this granular location data was collected for the purposes of delivering targeted advertising to better promote their products. Tim Hortons confirmed that shortly after implementing this update, their attention was refocused to other commercial endeavours, resulting in the data being only minimally used for user trend analytics. The data was never used to tailor or personalize marketing or to conduct reports to a particular user.