Written by Johanna Thiessen
Consent waivers are designed to limit an organization’s reach into your privacy. However, they do not guarantee that organizations will stay within those boundaries. Consumers are at the mercy of powerful, modern technology organizations. It has never been easier to track people and collect, distribute, and store their information. In June 2020, the Office of the Privacy Commissioner of Canada (“OPC”) together with Commission d’acces a l’information du Quebec (“CAI”), the Office of the Information and Privacy Commissioner of Alberta (“OIPC-AB”), and the Office of the Information and Privacy Commissioner for British Columbia (“OIPC-BC”) began an investigation into the Canadian operator and franchisor of Tim Hortons. This investigation was prompted primarily by a National Post article titled “Double-double tracking: How Tim Hortons knows where you sleep, work, and vacation”. In the article, the author describes how he discovered that the Tim Hortons app (the “App”) was tracking his every move, even when the App was closed, despite only giving permission to track his location while the App was open. According to the author, the App states that it only tracks a user when the App is open. In less than five months, the App tracked the author’s location in Canada, Europe and northern Africa and identified where he lived, worked, and when the App believed he entered a competitor’s place of business.
The OPC identified two issues to be investigated:
- Was the personal information collected by Tim Hortons used for an appropriate purpose?
- Was valid consent obtained by Tim Hortons?
As to the first issue, the OPC held that the ongoing collection of personal information by Tim Hortons beyond the use of the App was not used for an appropriate purpose. Subsection 5(3) of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) states: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances”. A reasonable person using the App would not consider Tim Hortons’ continual collection of personal information when the App was closed to be appropriate.
Regarding the second issue, the OPC determined that Tim Hortons did not obtain valid consent because they did not inform users that they would continue to collect personal information while the App was closed, they made misleading statements to users of the App that it would only collect information while the App was open, and they failed to guarantee users of the App understood the consequences of consenting to the ongoing collection of personal information. Section 4.3 of Schedule 1 of PIPEDA requires the knowledge and consent of an individual to collect, use or disclose personal information, except where inappropriate. Inappropriate circumstances include legal, medical, or security reasons where it may be impractical to obtain consent. Section 6.1 of PIPEDA states that for consent to be valid it must be reasonable to expect that an individual who the organization’s activities are directed to, would understand the purpose and consequences of the collection, use of disclosure of the personal information which they are consenting to. Neither of these PIPEDA requirements were met by Tim Hortons.
Although it was found that Tim Hortons violated the Acts, it was after the personal information of the users of the App had already been collected, used, and disclosed. The damage was already done. The primary concern here is that a user of an app has no guarantee that an organization is abiding by the consent waiver they have signed. Although the principles set out in PIPEDA are well intentioned, it is clear they are not enough to deal with the risks created by electronic databases. Additional legislation needs to be put in place to transfer power back to consumers.
 Woodrow Hartzog, “What is Privacy? That’s the Wrong Question” (2021) 88:7 U Chi Rev 1677 at 1682 (Heinonline) [Woodrow].
 Office of the Privacy Commissioner of Canada, “Joint investigation into location tracking by the Tim Hortons App”, (01 June 2022), online: Office of the Privacy Commissioner of Canada, <www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/> [perma.cc/MF9S-CJBQ] [OPC].
 Personal Information Protection and Electronic Documents Act, SC 2000, c 5, ss 5(3) [PIPEDA].
 OPC, supra note 2.
 PIPEDA, supra note 7 at schedule 1, principle 4.3.
 Woodrow, supra note 1.
The views and opinions expressed in the blogs and case reporter are the views of their authors, and do not represent the views of the Desautels Centre for Private Enterprise and the Law, the Faculty of Law, or the University of Manitoba. Academic Members of the University of Manitoba are entitled to academic freedom in the context of a respectful working and learning environment.