Canadian investigators determined that users of the Tim Hortons coffee chain’s mobile app “had their movements tracked and recorded every few minutes of every day,” even when the app wasn’t open, in violation of the country’s privacy laws.

“The Tim Hortons app asked for permission to access the mobile device’s geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data,” according to an announcement Wednesday by Canada’s Office of the Privacy Commissioner. The federal office collaborated with provincial authorities in Quebec, British Columbia, and Alberta in the investigation of Tim Hortons.

“The app also used location data to infer where users lived, where they worked, and whether they were traveling,” the Office of the Privacy Commissioner said. “It generated an ‘event’ every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.”

Tim Hortons scrapped plans to use the app for targeted advertising but “continued to collect vast amounts of location data” for another year “even though it had no legitimate need to do so,” the Office of the Privacy Commissioner said. Tim Hortons said it used aggregated location data “to analyze user trends—for example, whether users switched to other coffee chains and how users’ movements changed as the pandemic took hold,” the federal office said.

“Inappropriate Form of Surveillance”

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers,” Canada Privacy Commissioner Daniel Therrien said. “Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance.”

Tim Hortons has more than 5,100 stores in 13 countries. Most are in Canada, but there are more than 600 in the US, mostly in New York, Michigan, and Ohio.

Tim Hortons halted the continual tracking of users’ locations in 2020 after the government began investigating. But that “did not eliminate the risk of surveillance” because “Tim Hortons’ contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell ‘de-identified’ location data for its own purposes,” the Office of the Privacy Commissioner said. As the office noted, there “is a real risk that de-identified geolocation data could be re-identified.”

Tim Hortons agreed to implement the agencies’ recommendations but apparently will not face any punishment. The investigative report said that Tim Hortons’ commitments “will bring the company into compliance” with Canadian law and that “we therefore find this matter to be well-founded and conditionally resolved.” That’s the language used when an organization violates Canadian privacy laws but has “committed to implementing satisfactory corrective actions.”

The announcement said Tim Hortons agreed to “delete any remaining location data and direct third-party service providers to do the same,” implement a privacy program that “includes privacy impact assessments for the app and any other apps it launches,” implement “a process to ensure information collection is necessary and proportional to the privacy impacts identified,” and ensure “that privacy communications are consistent with, and adequately explain, app-related practices.” Tim Hortons also agreed to report back to the government with details on its compliance.

Reporter Uncovered Privacy Violation

The investigation began after a June 2020 Financial Post report titled “Double-double tracking: How Tim Hortons knows where you sleep, work, and vacation.” Reporter James McLeod found that “Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app,” even though the app “told customers that it tracks location ‘only when you have the app open.'”

Tim Hortons’ statement said, “In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts. Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app. Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business—and the results did not contain personal information from any guests.”

Alberta Information and Privacy Commissioner Jill Clayton said the investigation provides “yet another example where an organization has not effectively notified customers about its practices. Tim Hortons’ customers did not have adequate information to consent to the location tracking that was actually occurring.”

This story originally appeared on Ars Technica.