How many sugars do you want with that coffee? And how much surveillance? If you were “cheating” on your favorite coffee shop with a different one, would you mind if an app told on you?
Earlier this month, Canada’s Privacy Commissioner found that the Tim Hortons chain violated the law by when it surveilled app users, who were “tracked and recorded every few minutes of every day, even when their app was not open.” That sounds bad enough, but the story behind the investigation reveals far more creepy surveillance capitalism was going on. Two years ago, Financial Post journalist James McLeod used Canadian law to demand every piece of information Tim Hortons had collected on him, and spun it into a dramatic narrative.
“I had no idea how extensive the tracking data was until I saw it. There were readings taken at all hours of the day and night, and (the app) kept tabs on me every time the app thought I was visiting one of its competitors,” he wrote.
The app, McLeod found, “identified where he lived and worked…and noted when it believed he entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway,” according to the Canadian investigation. It also knew when he went to a Toronto Blue Jays baseball game, when he went to Manitoba for a wedding, even when he arrived at Amsterdam’s Schiphol Airport.
The full investigation is worth reading; so is the original news report from 2020.
As conversation around a federal privacy law in the U.S. seems to be suddenly reignited, much to the delight of many who thought efforts to pass any legislation during this testy political season were doomed, there are still plenty of lingering questions. Have tech industry insiders had too much to say about the proposed language in the American Data Privacy and Protection Act? Will consumers really acquire new protections, or will the law entrench existing (bad) behaviors? And how many exceptions will be made for law enforcement, for employers, even for data brokers? Shoshana Wodinsky at Gizmodo offers a level-headed, skeptical analysis of the bill in its current form here. And a summary of its provisions is here (PDF).
But I think the timing of the Tim Hortons investigation is helpful, because however icky the story is, it also points to a couple of things that worked well. McLeod only had a hunch something was wrong because Google added a new privacy feature to his smartphone — the option to limit sharing of location information with apps only when they are open. The Tim Hortons app was requesting more access than that, which led McLeod to file a so-called PIPEDA request. Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), users can ask companies to divulge all the data that’s been collected about them. When McLeod got his response, he had his story, and Canada’s privacy commissioner had an investigation.
Under California’s state privacy law, consumers can now file what is known as DSAR’s — Data Subject Access Requests — and get reports similar to the one McLeod got from Tim Hortons. This disclosure right should be an essential tool for all Americans, made as easy as possible, and advertised broadly as a feature. In its current form, the American Data Privacy and Protection Act calls for such disclosure, and critically, for it to be made available “in a human-readable and downloadable format that individuals may understand without expertise.” Sure, most consumers won’t take advantage of the opportunity, but a few will. And who knows what stories might be uncovered as a result.