Geolocation data tracking of a popular restaurant chain's app led to the loss of privacy of millions of users, Canadian data privacy authorities said.

The privacy commissioner's probe into the Tim Hortons mobile app found that the app unnecessarily collected extensive amounts of data without obtaining adequate consent from users.

Data Was Never Used for Intended Purposes, Probe Finds

Canadian invesitgators found that Tim Hortons gathered granular location data for targeted advertising and product promotions without customer consent, and that the company never used such data for the stated purposes.

Read Also: Why Data Security is More Important Than Ever

According to a report from the Office of the Privacy Commissioner of Canada, the data collection, which happened while the app was not in use, resulted in "a loss of Users' privacy that was not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted promotion of its coffee and associated products."

The investigation started two years ago by the Office of the Privacy Commissioner of Canada in partnership with privacy officials in British Columbia, Quebec and Alberta. This came after reports surfaced that the Tim Hortons app monitored users' geolocation while not using the app.

The restaurant chain's app has four million active users, according to a CBC report quoting a company presentation to investors.

Third Party Named in Quetionable Tim Hortons Data Collection

Tim Hortons contracted a third-party service provider, Radar, to gather geolocation data of users. In August 2020, Tim Hortons stopped collecting location data.

However, the investigation discovered that there was a lack of contractual safeguards for users' personal data while being captured by Radar. The report describes the language in the contractual clauses to be "vague and permissive," which could have allowed Radar to use the personal information collected in aggregated or de-identified form for its own puposes or for other campaigns users do not know of.

The report said the language used in the contract did not offer "adequate protection by Tim Hortons, of Users' personal information."

"While we accept that Radar did not engage in a use or disclosure for its own purposes, the contractual language in this case would not appear to constitute adequate protection, by Tim Hortons, of Users' personal information," the report said.

The report states that Tim Hortons also agreed to delete all granular location data and to have third-party service providers do so as well, as per recommendations from the privacy authorities. The company also agreed to establish a privacy management program for its app and all future apps to ensure they are compliant with federal and provincial privacy legislation.

The federal law governing privacy issues is called the Personal Information Protection and Electronic Documents Act, or PIPEDA.

The report found that while the Tim Hortons app was not compliant with privacy laws, the restaurant chain has since taken steps to resolve the issues.

"We've strengthened our internal team that's dedicated to enhancing best practices when it comes to privacy and we're continuing to focus on ensuring that guests can make informed decisions about their data when using our app," a statement from Tim Hortons released on Wednesday said.

"While we accept that Radar did not engage in a use or disclosure for its own purposes, the contractual language in this case would not appear to constitute adequate protection, by Tim Hortons, of Users' personal information," the report said.

Related Article: Afraid Data Brokers Are Selling Your Personal Information? This 1 Tool Prevents It From Happening