fbpx
Home » Home Depot Gets Nailed by Privacy Commissioner for Sharing Data with Meta

Home Depot Gets Nailed by Privacy Commissioner for Sharing Data with Meta

0 comments 998 views

Recent findings by the Office of the Privacy Commissioner of Canada (“OPC”) found that Home Depot of Canada Inc. (“Home Depot”) did not obtain valid meaningful consent to share summary purchase information with Meta Platforms Inc. (“Meta”) in order to measure the effectiveness of Facebook ads, as well as for Meta’s own purposes. The findings also suggest that Home Depot did not obtain sufficient consent to use customer information for its own marketing and analytics purposes.

The findings potentially raise troubling questions about the form of consent and the granularity of the consent disclosures that are required under the federal privacy law for the use of even non-sensitive personal information for marketing and analytics purposes. The Home Depot case is likely to be of interest to many Canadian retailers, which are likely to be engaged in similar practices.

Background

The OPC findings relate to Home Depot’s use of “Offline Conversions”, a Meta feature that allows businesses to measure the effectiveness of Facebook ads. The investigation found that when a Home Depot customer provided their email address at check-out in order to obtain an e-receipt, the company forwarded a hashed version of that email address to Meta, along with summary in-store purchase details (i.e., indicating only the store department in which the purchased items were found). Having applied the same hashing algorithm to the email addresses of all Facebook users, Meta would then attempt to match the Home Depot data to a Facebook user, allowing Meta to provide Home Depot with aggregated reports respecting the effectiveness of advertising placed by the company on Facebook. The OPC also noted that Meta uses information obtained from merchants using the Offline Conversions tool to create lookalike audiences to deliver ads across Meta’s social media platforms to people with a similar profile to existing offline customers. These ads could promote the disclosing merchant, or any other Meta advertising customer.

Key Findings

The OPC made three principal findings respecting Home Depot’s compliance with the consent requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA):

  1. Express consent was needed to disclose personal information to Meta. PIPEDA provides that the reasonable expectations of the individual are relevant to determining the form of consent that organizations must obtain. In the Home Depot case, the OPC found that a customer would not reasonably expect that their email address and purchase information would be shared with Meta for the purpose of measuring the impact of Home Depot’s online advertising campaigns, nor to be used for Meta’s own business purposes, including targeted advertising, unrelated to Home Depot. Accordingly, the OPC found that express customer consent was required for the use and disclosure in question.
  2. Insufficient efforts to ensure customers are aware of the purposes for personal information use and disclosure. Although the OPC found the express consent was required, it noted that even if it were an appropriate case to rely on implied consent (as Home Depot had submitted), the retailer could not have relied on implied consent as it did not make reasonable efforts to ensure that customers were advised of the purposes for which their personal information would be used and disclosed. In this regard, the OPC noted that Home Depot requested email addresses at point of sale for the explicit purpose of issuing electronic receipts, but did not notify customers that it would use or disclose customer information for other purposes, nor direct those customers to Home Depot’s or Meta’s privacy statements.
  3. General disclosures in privacy policy insufficient to support meaningful consent. The OPC further found that, even if a customer requesting an e-receipt had been directed to and read Home Depot’s Privacy Statement, it was unlikely that the customer would have reasonably understood the nature of the information sharing with Meta, or the consequences of this practice, as is required by PIPEDA. The OPC noted that Home Depot’s Privacy Statement used “generic and vague” terms such as “improve our products and services”, which do not clearly describe the purposes for the collecting, use and disclosure of the personal information in question.

Issues & Implications

The Home Depot findings are likely to raise a number of significant concerns for Canadian businesses, including the following.

Express v. Implied Consent

It is not entirely clear whether the OPC considers that express consent is required just for an organization to disclose non-sensitive personal information to Meta in order for Meta to use that data for its own purposes (such as to direct social advertising on behalf of other businesses), or whether the OPC considers that express consent is also required in order for an organization to share personal information with Meta in order to receive aggregate level reports about the effectiveness of the ads that organization placed on Meta’s platforms.

PIPEDA allows for both implied and express forms of consent. Guidelines issued jointly by the OPC, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia provide that express consent is generally required where the personal information in question is sensitive, the processing is outside of the reasonable expectations of the individual, and/or the processing creates a meaningful residual risk of significant harm.

In the Home Depot case, the practices under consideration involved only non-sensitive, partially aggregated information and would be unlikely to give rise to any risk of harm to the individuals concerned.

Many would consider that the disclosure of personal information to a third party, to be used for the third party’s own purposes, would generally require express consent; however, only implied consent has typically been required for an organization to share personal information with a service provider that processes personal information on the sharing organization’s own behalf. Accordingly, it would appear to be a marked departure from accepted practice to require express consent for an organization to share personal information with Meta in order to receive summary reports respecting the effectiveness of social advertising. Complicating the analysis in this case is the fact that Meta is, in part, using data collected during the operation of its Facebook service in order to produce the Offline Conversions report.

In the result, businesses may be left wondering as to whether they are compliant with PIPEDA in relying on implied consent to share personal information with service providers for marketing and analytics purposes. Given these uncertainties, businesses may wish to carefully review their practices in this regard.

Privacy Policy Wording…

Read The Full Article at Lexology

related posts

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept