In June 2022, Canada’s Office of the Privacy Commissioner (OPC), together with privacy commissioners from Alberta, British Columbia, and Quebec, published findings of a joint investigation into the Tim Hortons mobile app. The investigation found that the app had collected continuous geolocation data from users’ phones — even when the app was closed — through a third-party geofencing service. The app collected location data every few minutes, creating a highly detailed record of users’ daily movements including their home, work, places of worship, health facilities, and other sensitive locations. The app’s collection was far disproportionate to the stated functionality (ordering and rewards). The investigation period covered primarily 2019-2020. Restaurant Brands International (which owns Tim Hortons, Burger King, and Popeyes) was found to have violated Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act). The investigation was triggered by a Globe and Mail investigative report in June 2020 that analysed network traffic from the Tim Hortons app. The OPC ordered Tim Hortons to destroy all the covertly collected data and implement a privacy compliance programme. A class-action lawsuit was filed in Canada and Quebec. The case became a landmark in Canadian mobile app privacy enforcement and highlighted the pervasive but invisible nature of continuous location tracking in consumer apps.