On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) found that Home Depot disclosed a customer’s personal information to Facebook (now Meta) without his knowledge or consent contrary to PIPEDA. Consequently, Home Depot needed to implement the OPC’s recommendations, which it did following the investigation.
What happened?
A client of Home Depot discovered that, while he was deleting his Facebook account, Facebook had accumulated a record of most of his in-store purchases that he made at Home Depot. In fact, the data was located in the “Off-Facebook Activity” section of his account. In response, he promptly tried to resolve the matter at Home Depot, but was told (incorrectly) that his information was not shared with the company. This was when he brought a complaint to the OPC.
The OPC received responses from both companies and noted that since 2018, Home Depot had been using a business tool provided by Facebook, “Offline Conversions.” In line with the Business Tools terms, this tool allowed businesses to measure the extent to which Facebook ads led to real-world outcomes such as purchases in stores. More precisely, companies could use the tool to understand how much of their offline activity could be attributed to ads, measure the offline return on ad spending, and reach people offline and show ads to people based on the actions they took offline. Interestingly, Facebook could also use the tool to create lookalike audiences to deliver ads across Meta technologies to people with a similar profile.
Home Depot also explained that this scenario only applied to in-store customers who asked for an e-receipt, and it helped Home Depot to understand the effectiveness of an advertising campaign on Meta’s platforms and its impact on in-store sales, provided in aggregated form. Given that Facebook was performing a processing activity for Home Depot, Home Depot was of the view that Facebook acted as a service provider to Home Depot.
During the process, Home Depot forwarded customers’ hashed email addresses and offline purchase details to Facebook. At no time were customers told about the sharing of data to Facebook, or the subsequent process of matching emails to Facebook accounts to measure ad effectiveness.
What were the findings?
The findings were as follows:
- When considering the form of consent, Home Depot failed to ensure valid consent for the disclosure.
When examining Principle 4.3.4 of Schedule 1 in PIPEDA, it was important to note that, when determining the form of consent to use, organizations had to take into account the sensitivity of the information. Moreover, it was necessary to consider that, pursuant to Principle 4.3.5 of Schedule 1 in PIPEDA, the reasonable expectations of the individual were relevant. Another critical document was the Guidelines for obtaining meaningful consent; there were certain instances where it was necessary to obtain express consent, namely when the information being collected, used, or disclosed was sensitive; the collection, use, or disclosure was outside the reasonable expectations of the individual; and/or the collection, use, or disclosure created a meaningful residual risk of significant harm.
Although Home Depot argued that individuals suffered from “consent fatigue” and that there was implied consent through Home Depot’s Privacy and Security Statement, Facebook’s Privacy Policy, and the lack of sensitive information involved, “Home Depot did not obtain customers’ implied consent for the practice at hand”. That is, most customers would be completely unaware of the practice, and would not reasonably expect it—customers’ conduct of providing their email address to obtain an e-receipt could not be implied to constitute permission for the information to be used by Home Depot for secondary purposes, let alone for disclosure to Meta to be used for its own separate business purposes. And in any event, Home Depot could not have relied on implied consent for the practice. More specifically, the information could become sensitive in situations where it was shared with Meta to be combined with other information it had, to create a rich multi-dimensional profile about the individual. Customers would not reasonably expect, or have any reason to suspect, that their email addresses and offline purchase details would be shared with Meta for the purpose of measuring the impact of Home Depot’s online advertising campaigns. Clearly, Home Depot should have obtained express consent, at or before the time of collection, for these purposes. While Home Depot argued that clients could withdraw their consent at any time, this was not sufficient in this case. - Home Depot failed to ensure valid meaningful consent for the disclosure. The above-mentioned Privacy and Security Statement and the Privacy Policy did not support a finding of meaningful consent. Pursuant to Principle 4.3.2 of Schedule 1 of PIPEDA, companies had to make reasonable efforts to explain the purposes of collection, use, or disclosure, and the purposes had to be stated in such a manner that individuals could reasonably understand how the information would be used or disclosed. Also, section 6.1 of PIPEDA required valid consent to be in a way that individuals could understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they were consenting. Further, the OPC’s Guidelines required a company to explain the purposes in plain language (without burying it in a densely written Privacy Policy). The OPC’s Guidelines also required companies to inform individuals of their privacy practices in a comprehensive and understandable manner, and in an accessible manner.
Although there were copies of the Privacy Statement in printed form, Home Depot never directed customers to them or explained that customer information may be forwarded to Facebook when they were receiving an e-receipt. Indeed, customers expected that they would be receiving an e-receipt of the transaction involved. The OPC stated, “We therefore find that customers would have no reason to refer to the aforementioned privacy documents to obtain further information on a practice they are unaware of.” And in contrast to Principle 4.3.2, Home Depot put the onus on customers to ask for hard copies of privacy documents. The OPC emphasized that even if customers requesting an e-receipt were to read Home Depot’s Privacy Statement, they would not reasonably understand the nature of the information sharing with Meta, or the consequences of this practice. Vague language such as “improve our products and services” was not sufficient in this case.
As a consequence, the OPC recommended the following:
- Cease disclosing, to Meta, personal information of customers requesting an e-receipt, until such time that it implements measures to ensure valid consent.
- Should it choose to recommence its practice of sharing customer information with Meta via Offline Conversions, implement measures to obtain express, prior opt-in consent for the practice.
- Amend privacy communications to ensure transparent messaging and meaningful consent for this practice, by:
- providing key information up front, at the time customers request an e-receipt, including: (i) what information will be disclosed to Meta; (ii) that it will be used for the purpose of measuring the effectiveness of Home Depot’s Facebook advertising campaigns; (iii) that the information will also be used by Meta for its own purposes, including targeting; and (iv) that customers have the option to withdraw consent at a later time, and
- including in its Privacy Statement a more detailed explanation of the practice, and how to withdraw consent.
In response, Home Depot discontinued the use of Meta’s Offline Conversions Tool in October 2022, and also confirmed that should it decide to re-engage with it, it would implement the OPC’s recommendations.
What can we take from this development?
As can be seen in the above case, it is critical for companies to ensure that they are obtaining valid consent before collecting, using, and disclosing personal information in line with PIPEDA. In order to remain in compliance, there are a few places to look when it comes to understanding consent:
- section 6.1 of PIPEDA
- Principle 3—Consent in Schedule 1 of PIPEDA
- OPC Guidelines of Meaningful Consent
Organizations are recommended to take a look at these materials in order to remain in compliance with PIPEDA. They are also reminded that neither raising “consent fatigue” nor pointing to complicated privacy documents is sufficient. When it comes to consent, more efforts must be used to make customers aware and explain in plain language the purposes of collection, use, or disclosure of personal information. This may involve directing customers to certain materials and explaining (without using jargon) what the consequences of data sharing with outside parties might be.
And above all, in times of noncompliance, it is highly recommended that companies follow Home Depot’s example and cooperate with the OPC to promptly bring themselves into compliance so the matter can be resolved in a timely manner.
Please note that any views expressed in this article are solely the views of the author.
- Social media in the workplace: Addressing cybersecurity risks - May 26, 2023
- ChatGPT and privacy complaints: investigations launched - April 21, 2023
- Home Depot disclosed personal information without valid consent - March 24, 2023
Leave a Reply