A Home Depot customer discovered on Facebook that Meta had records of his in-store Home Depot purchases and subsequently filed a complaint with the OPC. It turns out that since 2018, Home Depot had been sharing with Meta the purchases and email addresses of customers who requested e-receipts while checking out in-store via Meta’s Offline Conversions program. Although Home Depot hashed the email addresses before sharing them with Meta, if those email addresses were associated with a Facebook account, Meta would be able to match them with current Facebook user accounts and Home Depot’s ads delivered to that user on Facebook. Meta would then provide aggregated results of that analysis back to Home Depot, allowing Home Depot to measure the effectiveness of their marketing. Meta was also able to use Home Depot’s customer information for its own business purposes unrelated to Home Depot.
What does this mean for your business?
The OPC’s findings were largely based on Principle 4.3 of Schedule 1 of PIPEDA, which requires knowledge and consent for the collection, use and disclosure of personal information. At Inter Alia, we’ve long advised our clients to draft clearly worded privacy policies, and furthermore to err on the side of over-disclosing for years.
Especially after this investigation, businesses need to consider (i) regularly reviewing their privacy policies to ensure all purposes for disclosure are described in a way that is easy to navigate and understand, (ii) supplementing those policies with just-in-time disclosures (in this case for example, that would be Home Depot informing customers during the checkout that their information would be shared with Meta for analytics purposes); and (iii) not relying on implied consent unless a use truly falls within customers’ expectations.
The content on this web site is provided for general information purposes only and does not constitute legal or other professional advice or an opinion of any kind. Users of this web site are advised to seek specific legal advice regarding any specific legal issues. Inter Alia does not warrant or guarantee the quality, accuracy or completeness of any information on this web site. The articles published on this web site are current as of their original date of publication, but should not be relied upon as accurate, timely or fit for any particular purpose.