Published:June 11, 2022
-New York Times
One way to figure out how deeply Tim Hortons is woven into Canada’s fabric is a cross-border comparison. If McDonald’s, perhaps its closest analogue in the United States, wanted to have the same per capita reach in that market as Tim Hortons boasts in Canada, it would have to roughly triple its 13,000-plus American outlets.
Despite being foreign owned since 2014, Tim Hortons still waves the Canadian flag as vigorously as it can. But last week, a scathing report by the federal privacy commissioner and three of his provincial counterparts laid out in great detail how Tim Hortons ignored a wide array of laws to spy on Canadians, creating “a mass invasion of Canadians’ privacy.”
“As a society, we would not accept it if the government wanted to track our movements every few minutes of every day,” the federal privacy commissioner, Daniel Therrien, said in his last official news conference. “It is equally unacceptable that private companies think so little of our privacy and freedom that they can initiate these activities without giving it more than a moment’s thought.”
When the report was released, Mr. Therrien and the other privacy commissioners made it clear that Tim Hortons had breached the privacy of Canadians to an extraordinary extent.
“Geolocation data is incredibly sensitive because it paints such a detailed and revealing picture of our lives,” he said, adding that “the risks related to the collection and use of location information remain high, even when ‘de-identified,’ as it can often be re-identified with relative ease.”
While there are some class actions against Tim Hortons underway, the company has not been fined or penalized under federal or provincial privacy laws.
The app remains available for download on both iPhones and Android phones. (I asked Apple and Google if the tracking software violated their app store policies or if they had taken any action against Tim Hortons. Neither company got back to me.)
In an email, Tim Hortons said that it began its own privacy review in 2020 and is implementing all of the recommendations in the privacy commission’s report.
Mr. Therrien and outside experts have long argued that Canada’s privacy laws, or its system for enforcing them, are in need of substantial revision. It took a journalist to discover what Tim Hortons was doing, the official investigation dragged on for nearly two years and, ultimately, there were no penalties. Only Quebec’s privacy office currently has the power to impose fines, but the maximum penalty it could have imposed on Tim Hortons, whose corporate parent had sales of $2 billion in 2020, is 10,000 Canadian dollars.
“The laws have no teeth,” Jill Clayton, the information and privacy commissioner for Alberta, told the news conference.
Mr. Therrien said that the Tim Hortons case is not an isolated example — it’s just the one that was exposed.
“It is clear that what happened in Tim Hortons is also happening elsewhere in the collection-of-information ecosystem,” he said. “Are there sufficient safeguards? Clearly not.”