The Office of the Privacy Commissioner of Canada (OPC) recently issued its Report of Findings regarding Home Depot's handling of customer information. The OPC found that the retailer failed to obtain meaningful consent when it disclosed non-sensitive information of customers who selected to receive receipts by email during instore check-out to Meta (Facebook's parent company) for online marketing purposes. While the information was non-sensitive, the OPC still concluded that opt-in consent was required because customers would not have expected information from their transaction to be shared with Meta under the circumstances.

What you need to know

  • The OPC investigated a complaint that Home Depot disclosed customers' contact and transaction information to Meta (Facebook's parent company) for marketing purposes without consent. When a customer chose to be emailed an e-receipt, Home Depot shared high-level data about the transaction with Meta for both Home Depot's and Meta's own advertising purposes.
  • The OPC concluded that this practice required Home Depot to obtain opt-in consent because the practice was outside customers' reasonable expectations.
  • The OPC's investigation is a reminder that an individual's reasonable expectations are a key factor in identifying the appropriate form of consent—sensitivity of the information is not determinative.
  • Businesses engaged in online advertising should consider reviewing data sharing practices where opt-out consent is used to determine whether the language in a privacy policy, and the way it is presented to customers, supports a reasonable expectation that information will be shared for marketing purposes.
  • Where applicable, businesses can consider notifying customers (e.g., through pop-ups or verbal prompts) that certain information will be shared with advertising partners and where they can opt-out.

The OPC's findings regarding Home Depot

Home Depot shared email addresses and in-store purchase details for customers who chose to receive an email receipt instore. Meta matched this information to the corresponding Facebook account and used the purchase information to measure the effectiveness of the ads it delivered to customers on Facebook. Meta then provided Home Depot with the results of its analysis.

The OPC found that customers' email addresses and purchase information was "non-sensitive", but concluded that opt-in consent was required because customers would not reasonably expect that by selecting to receive an emailed receipt for an instore purchase, their data would be sent to Meta for online marketing purposes.

In the unique circumstances of this case, the OPC concluded that opt-in consent was required because customers needed to be provided with the choice directly at the time the information as collected (i.e., at the check-out counter).

The OPC also found that Home Depot's privacy statement (posted online and available in stores) was insufficient to obtain consent under PIPEDA because:

  • When requesting an e-receipt, customers were not directed to either Home Depot's or Meta's privacy statements, and were provided with no information other than that they would be emailed their receipt.
  • In the context of requesting an e-receipt, customers would have no reason to refer to either privacy statement because they were unaware of the practice.
  • Even if customers did refer to either privacy statement, they would not have been able to understand the nature or consequences of the information sharing with Meta—the information provided was either missing or the terms too vague.

The OPC indicated that customers would not understand the nature of the information sharing with Meta or the consequences of this practice, contrary to PIPEDA section 6.1. The OPC also concluded that Home Depot failed to make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used, contrary to PIPEDA principle 4.3.2.

Recommendations for data sharing practices for targeted advertising

The OPC's investigation provides two key practice points for businesses engaged in targeted online advertising.

1. Consider whether data sharing is within individuals' reasonable expectations

The OPC's decision is an important reminder that businesses should consider the reasonable expectations of individuals whose information is being collected for the purpose of targeted advertising. Where this practice is outside their reasonable expectations, businesses should consider whether a more express form of consent is appropriate.

The decision involved non-sensitive information, for which the OPC has typically been prepared to accept the use of opt-out consent. However, the OPC considers two other factors in determining the appropriate form of consent: whether the given action is within the reasonable expectations of the individual, and whether the action creates a meaningful residual risk of significant harm. In this case, the OPC concluded that opt-in consent was required because customers would not reasonably expect their data to be shared based on the context of its collection (an instore, offline purchase).

In light of the OPC's decision, organizations that engage in online advertising should consider their data-sharing practices with a view to whether the reasonable expectations of the customer at the time of collection support the use of opt-out consent. In particular, a business should consider if its customers are being given timely notice of the company's data sharing practices and a clear way to opt-out. In this case, Home Depot was required to switch to an opt-in form of consent, but that may not be required for all similar data sharing practices.

Where businesses determine that their data handling practices are outside the reasonable expectations of the individual, whether based on the circumstances of the collection of the information or another factor, businesses should consider whether clearer notice or an opt-in form of consent is appropriate.

2. Ensure privacy statements are accessible and accurate

The OPC was critical of both the lack of effort used to bring Home Depot's privacy statement to the attention of its customers, as well as the language used in Home Depot's privacy policy, calling certain terms "generic and vague" and, without "sufficient precision".

Businesses should ensure that their privacy policies are sufficiently clear when describing how personal information will be used, and when and with whom it will be shared. Transparent messaging is important when relying on opt-out consent.

Where opt-out consent is relied on, businesses should:

  • Provide clear instructions for opting out of the data sharing.
  • Where the privacy policy is being relied on to provide notice of the disclosure of individuals' information and/or opt-out procedures, ensure that the privacy policy is accessible by the individual at the time the information is collected, e.g., by providing a link directly to the policy when collecting the information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.