A recent decision from the Office of the Privacy Commissioner of Canada ("OPC") highlights the importance of obtaining meaningful consent when you are collecting and using customer information, particularly when you are sharing that information with third parties.

On January 26, the OPC released its findings following a complaint that a major retailer was sharing customer emails and purchase information without customer consent. The OPC found the retailer failed to obtain valid meaningful consent for its disclosure of customer information.

Customer emails were shared with Facebook

A customer filed a complaint with the OPC after discovering that Meta had his purchase history from the retailer when he was deleting his Facebook account. The retailer confirmed that it had been providing customer emails and purchase information to Facebook (now Meta Platforms Inc.; "Meta") when customers chose to receive electronic receipts since at least 2018.

Upon receiving this information, Meta matched the encoded emails to users accounts to assess the effectiveness of the retailer's ads. Meta was also permitted to use the collected information for its own purposes - such as targeted advertising and user profiling unrelated to the retailer.

In response to the recommendations of the OPC, the retailer discontinued this practice as of October, 2022.

Retailer failed to obtain valid consent

The OPC found that the retailer did not meet the requirements under applicable privacy law, including the Personal Information Protection and Electronic Documents Act, as it failed to obtain meaningful consent from customers.

When a customer chooses to receive an electronic receipt instead of a printed one, they are not consenting to having their personal information shared with third parties. In a statement accompanying the OPC's findings, the Privacy Commissioner of Canada outlined that Canadians would likely not expect their information to be shared with a third party such as Facebook as a result of opting for an email receipt. The Privacy Commissioner highlighted that organizations must give customers clear information so they can make informed decisions on the use of their personal information.

The retailer attempted to justify its actions by arguing customers had provided implied consent as defined under its own and Meta's privacy statements. However, the OPC found this did not constitute meaningful consent, given that customers were not made aware of the information being shared at the time of purchase and they did not receive a clear explanation of how the information would be used. As well, Meta's privacy statement could not be relied on as it would be illogical to require customers making a purchase with the retailer to check Meta's privacy policy.

Consequently, even though the information shared with Meta was not sensitive, the OPC concluded that the retailer should have obtained express opt-in consent for this practice.

Key takeaways

The OPC's findings serve as a reminder that when you are collecting personal information from customers, you must explain the purpose for collecting the information - and limit your use of the information to that purpose. You must also obtain meaningful consent of your intention to share the information with third parties.

If your organization provides customer information to third parties, it is important to review the information you provide to customers when obtaining their consent as well as your agreements with third parties to ensure compliance with applicable privacy laws, such as placing limits on a third party's use of your customers' information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.