Tim Horton’s is a national brand in Canada. Millions of people buy their coffee, donuts, and muffins from “Timmys” every day.

But last week, Tim Hortons was in the news for abusing customer information. Using the corporate app downloaded by millions of people, Tim Hortons management was collecting information that was an excessive overreach and which it had no intentions of using for business purposes. As a result, it ran afoul of the country’s privacy laws.

Now Canada’s privacy laws are weak and ineffective. There is no real enforcement mechanism apart from the court of public opinion. Tims has been there before on other matters and never really seems to lose market share. The odds are that the public cares more about caffeine than confidentiality this time too.

What Does the Law Require?

So what foul did Tim Horton’s commit? Canadian privacy laws requires that companies:

1. Only collect the information they need for business purposes;
2. Inform customers of the information they are collecting and why they are collecting it;
3. Keep that information confidential;
4. Delete any customer data or personally identifiable information when requested by a client;
5. Dispose of all data once it is no longer relevant or the customer is no longer in a business relationship with the company.

Tims distributed the app with the promise that geolocation data would only be collected when a customer was using the app–presumably to point them to the nearest location for eating, ordering or pick-up. Instead, the geo-collection of data by the app was continuous as long and the phone or device was powered on. Every location visited by a customer with the app was reported to Tim Hortons servers. From this information, the company could determine where people lived, how often they went to their doctor, whether they were traveling,

Tims also supplied that data to a American company for its own marketing purposes. While this third-party data was “de-identified” meaning that actual names and identifying information was removed before transmitting it, it really isn’t possible to “de-identify” anyone these days. With a postal code and a birthday (or some other minor personal data points) there is a high probability that the individual behind these data points can uniquely be identified.

What Could Tims Have Done?

First of all, Tims should only collected the data it told people it would collect and use it for the purposes it told them it would use it for. Honesty is a big part of the law. If you’re going to collect all the places your customer visits, say so and come up with a justification for why you need this information.

For example, suppose Tims had told people that they “collect people’s location information so that they can offer incentives and discounts to build brand loyalty.” This would be a legitimate reason to collect location data provided that Tims then geo-fenced all Starbuck and Second Cup locations and then sent a digital coupon to any of their customers who stepped into a competing coffee shop. This would have also been a justification for collecting location data even when a customer wasn’t using their app.

But they didn’t.

In Summary

If you’re collecting customer data using an app or some other way:

• Tell customers why you need the data
• Get their permission to collect the data
• Keep their data safe and private
• Delete it when you no longer need it or your customers tell you to delete it
• And use it for the purposes that you said you would–and no more!

Thanks all a Canadian needs to do to keep out of the privacy sin bin.

Notes

https://phys.org/news/2013-03-easy-identity-cell.html