Tim Hortons tracked when customers went to Starbucks…and more. Lessons for US Privacy Law — bobsullivan.net
How much sugar do you want with this coffee? And how much monitoring? If you “cheated” on your favorite coffee with another, would you mind an app talking to you?
Earlier this month, The Privacy Commissioner of Canada has found that the Tim Hortons chain broke the law by monitoring app users, who were “tracked and logged every few minutes of every day, even when their app was not open”. Sounds bad enough, but the story behind the investigation reveals that a far scarier surveillance capitalism was unfolding. Two years ago, Financial Post reporter James McLeod used Canadian law to compel every bit of information Tim Hortons had collected about him and twisted it into a dramatic narrative.
“I had no idea the extent of the tracking data until I saw it. There were readings taken at all times of the day and night, and (the app) was monitoring me every time. that the app thought I was visiting one of its competitors,” he wrote.
The app, McLeod found, “identified where he lived and worked…and noted when he thought he had walked into a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway,” according to the Canadian investigation. . He also knew when he went to a Toronto Blue Jays baseball game, when he went to Manitoba for a wedding, even when he arrived at Schiphol Airport in Amsterdam.
The full survey is worth reading; the same goes for the original report of 2020.
As the conversation around a federal privacy law in the United States appears to be suddenly reignited, much to the delight of many who thought efforts to pass legislation during this trying political season were doomed to failure, there are still many unanswered questions. Do tech industry insiders have too much to say about proposed language in US data protection and privacy law? Will consumers really gain new protections, or will the law entrench existing (bad) behaviors? And how many exceptions will be made for law enforcement, for employers, even for data brokers? Shoshana Wodinsky at Gizmodo offers here a balanced and skeptical analysis of the bill in its current form. And one the summary of its provisions is here (PDF).
But I think the timing of the Tim Hortons investigation is helpful, because as wacky as the story is, it also highlights a few things that worked well. McLeod only had a hunch that something was wrong because Google added a new privacy feature to its smartphone – the option to limit sharing location information with apps only when they’re open. The Tim Hortons app requested more access than that, leading McLeod to file a so-called PIPEDA request. Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), users can ask companies to disclose any data that has been collected about them. When McLeod received his response, he had his story, and the Privacy Commissioner of Canada investigated.
Under the California State Privacy Act, consumers can now file what are known as Data Subject Subject Access Requests (DSARs) and get reports similar to the one that McLeod got from Tim Hortons. This right of disclosure should be an essential tool for all Americans, made as simple as possible and widely advertised as a feature. In its current form, US privacy and data protection law requires such disclosure and, importantly, that it be made available “in a human-readable and downloadable format that individuals can understand without expertise.” . Of course, most consumers won’t take advantage of this opportunity, but a few will. And who knows what stories might be uncovered as a result.