Privacy concerns over Tim Horton's mobile ordering app, June 1, 2022. (Photo: LNN)

By The Canadian Press

Too Much Information

Privacy watchdogs say Tim Hortons app collected vast amounts of sensitive data

Jun 1, 2022 | 10:59 AM

OTTAWA, ON – Federal and provincial privacy watchdogs say the Tim Hortons mobile ordering app violated the law by collecting vast amounts of location information from customers.

In an investigation finding today [June 1, 2022], privacy commissioners say people who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of the day, even when their app was not open.

The investigation came after National Post reporter James McLeod obtained data showing the Tim Hortons app on his phone had tracked his location more than 2,700 times in less than five months.

Federal privacy commissioner Daniel Therrien did the investigation jointly with privacy commissioners from British Columbia, Quebec and Alberta.

The commissioners found the Tim Hortons app asked for permission to access a mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use.

Last seen Nov. 28

Missing: Jimmy Eagle, 27, of Maskwacis

4h ago

the situation is dire

Two deaths, possibly from cold exposure, raise alarm amid Red Deer shelter situation and plight of homeless community

Dec 12, 2025

Lace-'Em Up!

Red Deer's outdoor rinks returning for another season

Dec 12, 2025

However, the app tracked users as long as the device was on, continually gathering their location data.

The Office of the Privacy Commissioner of Canada notes that location data is highly sensitive because it can be used to infer where people live and work, and reveal trips to medical clinics. It can also be used to make deductions about religious beliefs, sexual preferences, social political affiliations and more.

The Office says organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form. Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling.

The investigation also revealed that Tim Hortons lacked a robust privacy management program for the app, which would have allowed the company to identify and address many of the privacy contraventions the investigation found.

The four privacy authorities recommended that Tim Hortons:

• Delete any remaining location data and direct third-party service providers to do the same;
• Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
• Report back with the details of measures it has taken to comply with the recommendations.

Tim Hortons agreed to implement the recommendations.