Tim Hortons privacy violations show marketers still have much to learn: experts

by Chris Powell

On the same day that the Office of the Privacy Commissioner of Canada released a critical report stating that Tim Hortons violated privacy laws by using its app to collect “vast amounts” of sensitive location data about its users, the coffee chain unveiled a lighthearted new ad featuring Canadian superstar Justin Bieber promoting the new Biebs Brew coffee collaboration.

In some ways, that dichotomy is a perfect representation of why consumers can be simultaneously attracted and repelled by brands. On the one hand, Tim Hortons has created a fun new summer product that carries the endorsement of a global superstar. It’s smart marketing.

But there’s also the unfortunate fact that Tim Hortons engaged in what Privacy Commissioner Daniel Therrien called “an inappropriate form of surveillance” through its app. The coffee chain said in a statement (below) that the data was never used to target its advertising, but instead to study trends in its business.

However, the OPC said that the app generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.

First the facts:

According to the OPC report, users of the Tim Hortons app, developed by U.S. geo-location specialists Radar Labs, had their “movements tracked and recorded every few minutes of every day,” even when they weren’t using the app. The coffee chain misled consumers into thinking that the information would only be accessed when they were in the app, when in reality it tracked them as long as their device was on.

According to the OPC, location data is “highly sensitive” because it can be used to infer where people live and work, or reveal trips to medical clinics or make deductions about religious beliefs, sexual preferences, social political affiliations and more. This is the kind of highly personal information that no company, whether it’s selling coffee, burgers, insurance or soap, should know.

While experts insist that today’s report isn’t representative of the industry, it can sometimes feel like some data-hungry marketers continue to regard privacy regulation as a minor speed-bump on the way to marketing effectiveness. “Marketers will do anything it takes to do things, until someone tells them not to, or that they shouldn’t,” said Mitch Joel, one of Canada’s top digital marketing experts.

Jed Schneiderman, who has nearly two decades experience in senior digital and mobile marketing roles, said marketers’ continue to push the envelope on data and privacy for three reasons:

  • Outdated privacy laws—companies will continue to operate in grey areas or areas where there is no enforceability or financial penalty;
  • A perceived lack of consequences—many of the companies either appeal fines, don’t pay them, or pay them and move on; an
  • Inexperience—a lot of marketers and solutions providers are doing things for the first time and perhaps have never encountered specific issues related to new products and offerings.

Brands often insist that intimate knowledge of their customer enables them to deliver more relevant ads for products or services they’re interested in when they’re more likely to be receptive to the communications. We’ve heard the “right ad, at the right place and right time” mantra so often by now that it has become an accepted truism of digital marketing.

But the OPC report makes it clear that this is a marketing fallacy. “The investigation concluded that Tim Hortons’ continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products,” it said in a release.

Joel agrees that the importance of such granular data has been overblown. “There are probably a handful… of data points that any brand needs in order to get a sale,” he said, and it probably requires even less data for a brand to maintain that relationship with its customer and provide future value.

“Just because you can collect data does not mean that you should,” added Schneiderman. “I think some marketers and businesses opt for collecting data because they can, as opposed to asking why.”

Some companies collect data because they want to use it, he added, but tend to skip the step of telling consumers they’re collecting it and why. “Personally, I don’t think most consumers would care if there was a valid reason or at least if they were told,” he said.

Both Joel and Schneiderman said that what happened with Tim Hortons might come down to a question of digital literacy. While it doesn’t necessarily absolve Tim’s, particularly since it’s one of country’s biggest and most sophisticated marketers, there’s a good chance its team was unaware of the scope and nature of the data collection, said Schneiderman.

“I wonder if the company knows what the vendor actually does,” said Joel, referring to the third party vendor who developed the app.

For its part, Tim Hortons said in a statement that it has fully co-operated with the privacy commissioners of Canada, Alberta, British Columbia and Quebec and begun work on implementing their recommendations.

“It’s important to highlight the report does not require that any new changes be made to the Tim Hortons app and it also concludes that the geolocation data in question was never used for targeted advertising purposes,” it said.

Both Joel and Schniederman agreed that the OPC report is unlikely to have any tangible impact on the Tim Hortons brand. A few people might go as far as uninstalling the Tim Hortons app, but most, if not all, of the estimated 5.3 million Canadians who visit its stores daily will be back tomorrow, looking for their cup of Biebs Brew.

Tim Hortons statement

We fully co-operated with the privacy commissioners of Canada, Alberta, British Columbia and Quebec in the course of their investigation and we’ve already begun work on implementing their recommendations.

It’s important to highlight the report does not require that any new changes be made to the Tim Hortons app and it also concludes that the geolocation data in question was never used for targeted advertising purposes.

In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts. Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app. Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business – and the results did not contain personal information from any guests.

We’ve strengthened our internal team that’s dedicated to enhancing best practices when it comes to privacy and we’re continuing to focus on ensuring that guests can make informed decisions about their data when using our app.

Photo by Erik Mclean on Unsplash

Chris Powell