Recent findings by the Office of the Privacy Commissioner of Canada (“OPC”) found that Home Depot of Canada Inc. (“Home Depot”) did not obtain valid meaningful consent to share summary purchase information with Meta Platforms Inc. (“Meta”) in order to measure the effectiveness of Facebook ads, as well as for Meta's own purposes. The findings also suggest that Home Depot did not obtain sufficient consent to use customer information for its own marketing and analytics purposes.

The findings potentially raise troubling questions about the form of consent and the granularity of the consent disclosures that are required under the federal privacy law for the use of even non-sensitive personal information for marketing and analytics purposes. The Home Depot case is likely to be of interest to many Canadian retailers, which are likely to be engaged in similar practices.

Background

The OPC findings relate to Home Depot's use of “Offline Conversions”, a Meta feature that allows businesses to measure the effectiveness of Facebook ads. The investigation found that when a Home Depot customer provided their email address at check-out in order to obtain an e-receipt, the company forwarded a hashed version of that email address to Meta, along with summary in-store purchase details (i.e., indicating only the store department in which the purchased items were found). Having applied the same hashing algorithm to the email addresses of all Facebook users, Meta would then attempt to match the Home Depot data to a Facebook user, allowing Meta to provide Home Depot with aggregated reports respecting the effectiveness of advertising placed by the company on Facebook. The OPC also noted that Meta uses information obtained from merchants using the Offline Conversions tool to create lookalike audiences to deliver ads across Meta's social media platforms to people with a similar profile to existing offline customers. These ads could promote the disclosing merchant, or any other Meta advertising customer.

Key Findings

The OPC made three principal findings respecting Home Depot's compliance with the consent requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA):

  1. Express consent was needed to disclose personal information to Meta.
    PIPEDA provides that the reasonable expectations of the individual are relevant to determining the form of consent that organizations must obtain. In the Home Depot case, the OPC found that a customer would not reasonably expect that their email address and purchase information would be shared with Meta for the purpose of measuring the impact of Home Depot's online advertising campaigns, nor to be used for Meta's own business purposes, including targeted advertising, unrelated to Home Depot. Accordingly, the OPC found that express customer consent was required for the use and disclosure in question.
  2. Insufficient efforts to ensure customers are aware of the purposes for personal information use and disclosure.
    Although the OPC found the express consent was required, it noted that even if it were an appropriate case to rely on implied consent (as Home Depot had submitted), the retailer could not have relied on implied consent as it did not make reasonable efforts to ensure that customers were advised of the purposes for which their personal information would be used and disclosed. In this regard, the OPC noted that Home Depot requested email addresses at point of sale for the explicit purpose of issuing electronic receipts, but did not notify customers that it would use or disclose customer information for other purposes, nor direct those customers to Home Depot's or Meta's privacy statements.
  3. General disclosures in privacy policy insufficient to support meaningful consent.
    The OPC further found that, even if a customer requesting an e-receipt had been directed to and read Home Depot's Privacy Statement, it was unlikely that the customer would have reasonably understood the nature of the information sharing with Meta, or the consequences of this practice, as is required by PIPEDA. The OPC noted that Home Depot's Privacy Statement used “generic and vague” terms such as “improve our products and services”, which do not clearly describe the purposes for the collecting, use and disclosure of the personal information in question.

Issues & Implications

The Home Depot findings are likely to raise a number of significant concerns for Canadian businesses, including the following.

Express v. Implied Consent

It is not entirely clear whether the OPC considers that express consent is required just for an organization to disclose non-sensitive personal information to Meta in order for Meta to use that data for its own purposes (such as to direct social advertising on behalf of other businesses), or whether the OPC considers that express consent is also required in order for an organization to share personal information with Meta in order to receive aggregate level reports about the effectiveness of the ads that organization placed on Meta's platforms.

PIPEDA allows for both implied and express forms of consent. Guidelines issued jointly by the OPC, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia provide that express consent is generally required where the personal information in question is sensitive, the processing is outside of the reasonable expectations of the individual, and/or the processing creates a meaningful residual risk of significant harm.

In the Home Depot case, the practices under consideration involved only non-sensitive, partially aggregated information and would be unlikely to give rise to any risk of harm to the individuals concerned.

Many would consider that the disclosure of personal information to a third party, to be used for the third party's own purposes, would generally require express consent; however, only implied consent has typically been required for an organization to share personal information with a service provider that processes personal information on the sharing organization's own behalf. Accordingly, it would appear to be a marked departure from accepted practice to require express consent for an organization to share personal information with Meta in order to receive summary reports respecting the effectiveness of social advertising. Complicating the analysis in this case is the fact that Meta is, in part, using data collected during the operation of its Facebook service in order to produce the Offline Conversions report.

In the result, businesses may be left wondering as to whether they are compliant with PIPEDA in relying on implied consent to share personal information with service providers for marketing and analytics purposes. Given these uncertainties, businesses may wish to carefully review their practices in this regard.

Privacy Policy Wording

Another of the other key issues raised by the Home Depot findings is the question of the level of specificity required in the description of the purposes for processing personal information, which businesses typically include in their privacy policies. The Home Depot Privacy Statement does indicate that the company will use personal information for a range of business purposes, including:

  • to make website or product and service improvements
  • to look at website trends and customer interests (including combining information it has with information received from third parties)
  • to use personal information to deliver marketing communications, including online ads
  • to share personal information with service providers providing services on Home Depot's behalf

The Privacy Statement also explicitly notes that social media platforms may collect information about a customer's use of Home Depot's services and may track a consumer's online activities over time and across multiple websites and mobile applications, and that Home Depot may receive such information from such platforms. The level of detail provided in Home Depot's 4200-word Privacy Statement may not be atypical for other Canadian businesses, yet the OPC found it to be inadequate.

In the digital era, the ways in which personal information might be compiled, shared, analyzed and used can appear somewhat complex to the average consumer, suggesting a greater amount of detail/explanation may be required in order for a business to inform its customers of its privacy practices in a comprehensive and understandable manner.

One can certainly imagine presenting a more detailed description of an organization's use of the Offline Conversions feature, but the resulting explanation might well run several paragraphs. Applying the same level of granularity to explaining other types of usage or disclosure of personal information could result in a markedly longer privacy policy document. As the OPC and other privacy commissioners have acknowledged, information buried in a privacy policy or terms of use serves no practical purpose to individuals with limited time and energy to devote to reviewing privacy information.

The OPC's Guidelines for obtaining meaningful consent accordingly recommend that organizations emphasize key elements in their full privacy polices, providing layers of additional details (such as through hyperlinked, connecting pages or documents) to allow individuals to access information of interest in more manageable and easily-accessible ways. Businesses using the Offline Conversions tool or engaging in other sophisticated digital tracking technologies for marketing and analytics may want to consider linking to their privacy policies expanded, more in-depth explanations of these practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.