An investigation conducted by the Privacy Commissioner of Canada has determined that Home Depot Canada had provided Meta with customer email addresses and purchase data as part of an ad measurement program, without informing customers about how this data would be used.
Since 2018, Home Depot Canada has collected customer emails at checkout, with the stated purpose being for sending electronic purchase receipts.
However, the commission found that Home Depot also provided those emails and related in-store purchase data to Meta. The data included a hashed version of the customer’s email, time of their purchase, the products purchased, which departments they were purchased from and which store the purchase was made at. Meta would match the email to an existing Facebook account and compare purchase info to ads a user may have seen as a way to measure effectiveness, providing the results in a report to the retailer.
The commission also said that Home Depot authorized Meta to use that data for its own business activities, such as for targeting ads unrelated to Home Depot.
This was all part of Home Depot Canada using Facebook’s Offline Conversions platform, which allows advertisers to connect CRM and point-of-sale data to measure the impact of ads on offline events – such as in-store sales – as well as create custom audiences and target future ad campaigns.
While participating in this kind of platform does not contravene privacy regulations, the commission’s investigation found that Home Depot had not properly obtained consent for collecting the data it used for these activities, nor did it inform customers that their data would be used this way.
“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company,” Privacy Commissioner Philippe Dufresne said in a statement. “This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”
Home Depot’s assertion was that by having customers agree to provide an email, it had received implied consent for the practice through both its own and Meta’s privacy policy, the latter of which explained the Offline Conversions program. The retailer cited “consent fatigue” as a reason for not notifying customers of its information sharing with Meta.
But the commission rejected that argument on multiple grounds. First, those privacy policies would not have been readily available to customers at the point they provide their email address. Second, those privacy policies did not provide a clear explanation of the practice. Regardless, the commission said the activity was of the sort that Home Depot should have obtained opt-in consent and provided a clear explanation, based on provisions within PIPEDA and compliance guidelines it has previously issued.
One reason Home Depot believed it could rely on implied consent was that the information being shared with Meta was not “sensitive.” While the commission accepted that to be true in the specific context of measuring ad effectiveness, it said that the data could become sensitive if used to create a pattern of purchase behaviour and locations customers shopped at. It could also become sensitive if Meta combined it with other data it has about a user.
“As businesses increasingly look to deliver services electronically, they must carefully consider any consequential uses of personal information, which may require additional consent,” Dufresne said. “In this case, it is unlikely that Home Depot customers would have expected that their personal information would be shared with a third party social media platform simply because they opted for an electronic receipt.”
The commission recommended that Home Depot stop disclosing personal customer information to Meta until it was able to ensure it could obtain proper consent from customers.
Home Depot is co-operating with the recommendations, and stopped the practice with Meta in October. The retailer has also agreed to only resume the practice if it obtains prior opt-in consent from customers, informs them of how their information will be used and updates it privacy policy to include the practice, as well as provide information about how to opt-out.
The ruling comes as Bill C-27, which would overhaul Canada’s privacy laws, continues to make its way through the House of Commons. A major part of the bill is laying out how to properly obtain consent for collecting personal information, which includes providing detailed information about which data is being collected, how it is being used and which third parties the data will be shared with. The bill would also require businesses to be more clear about how data is collected and used.
The bill received its second reading in the House of Commons in November. It will move to committee when the federal government returns from its winter break on Jan. 30.