If your business collects personal information and shares it with your service providers, it’s time to re-evaluate your privacy practices. In light of recent findings by The Office of the Privacy Commissioner (the “OPC”), businesses that disclose personal information to their service providers for internal business purposes (such as marketing or analytics) may need to implement disclosures beyond those in a privacy policy and obtain express consent from individuals whose information they collect.
In January, the OPC found that Home Depot of Canada Inc. (“Home Depot”) shared the private information of its customers with Facebook (now Meta Platforms, Inc., “Meta”) in contravention of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The findings of this investigation suggest that the disclosures required to use customer information for marketing and analytics purposes go beyond the content of your privacy policy. The investigation also raises questions about how specific businesses need to be about the purposes for which they collect personal information.
Background
A Home Depot customer discovered on Facebook that Meta had records of his in-store Home Depot purchases and subsequently filed a complaint with the OPC. It turns out that since 2018, Home Depot had been sharing with Meta the purchases and email addresses of customers who requested e-receipts while checking out in-store via Meta’s Offline Conversions program. Although Home Depot hashed the email addresses before sharing them with Meta, if those email addresses were associated with a Facebook account, Meta would be able to match them with current Facebook user accounts and Home Depot’s ads delivered to that user on Facebook. Meta would then provide aggregated results of that analysis back to Home Depot, allowing Home Depot to measure the effectiveness of their marketing. Meta was also able to use Home Depot’s customer information for its own business purposes unrelated to Home Depot.
Findings
Home Depot argued that it had implied consent to use the emails collected for this purpose. The basis for this argument was language in its privacy policy that said the company used information collected for “internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Meta’s privacy statement which explains the Offline Conversions Program.
Despite the disclosures made in its privacy policy, the OPC rejected Home Depot’s assertions – and found that Home Depot “failed to ensure valid consent” at the time customer information was collected. In other words, the actual information about how their email would be used “would have been material to a customer’s decision about whether or not to obtain an e-receipt.” The OPC also stated that customers’ expectations would have been limited to what they had been told would be the use for the email addresses they provided – receiving an e-receipt. The OPC therefore found that customers would have no reason to refer to Home Depot or Meta’s privacy documents to obtain further information.
Moreover, the OPC stated that even if Home Depot had linked to its own privacy policy during the checkout process, the policy’s “generic and vague” language does not adequately explain that customer information may be disclosed to its service providers for their own purposes, and does not clearly describe the purposes for collection, use and disclosure of personal information.
What does this mean for your business?
The OPC’s findings were largely based on Principle 4.3 of Schedule 1 of PIPEDA, which requires knowledge and consent for the collection, use and disclosure of personal information. At Inter Alia, we’ve long advised our clients to draft clearly worded privacy policies, and furthermore to err on the side of over-disclosing for years.
This case demonstrates the difficulties with relying on implied consent – for such consent to be valid, the use of personal information needs to fall within the individual’s reasonable expectations of how that information will be used. Whatever the privacy policy may say, Home Depot’s question to the customer at checkout was deemed to be misleading in a way that the privacy policy could not protect them against. The fact is that a reasonable person who is asked if they want to provide their email “to get an e-receipt” is only consenting to that. If the question was “do you want to provide your email for an e-receipt along with all of Home Depot’s other uses of personal information as described in our privacy policy”, maybe it would have been upheld.
The lesson here seems to be: don’t ask a very specific question with an easy yes or no consent response, and expect to be protected from the argument that you misled your customer by generic language in your privacy policy.
Said another way, disclosures made in a privacy policy are not useful to those who have no reason to think they need to consult it – and this goes to the heart of what it means to obtain meaningful consent. In fact, the OPC has long advised that information buried in a privacy policy is not of any practical use, and may not act as the “silver bullet” businesses have been relying on. As we anticipate updates to Canada’s privacy laws, it’s wise to adhere to the spirit of PIPEDA’s Fair Information Principles and ensure that users know exactly what information is collected and how it’s used. At Inter Alia, we always recommend baking good privacy practices into the heart of our clients’ businesses, by design, rather than solely relying on the privacy policy. It builds good relationships with their customers, and keeps us ahead of the curve as the law inevitably evolves toward higher and higher levels of consumer protection in this space.
Especially after this investigation, businesses need to consider (i) regularly reviewing their privacy policies to ensure all purposes for disclosure are described in a way that is easy to navigate and understand, (ii) supplementing those policies with just-in-time disclosures (in this case for example, that would be Home Depot informing customers during the checkout that their information would be shared with Meta for analytics purposes); and (iii) not relying on implied consent unless a use truly falls within customers’ expectations.
If you have any questions about your privacy policy or disclosure practices, please feel free to reach out to our team to obtain advice based on your specific circumstances.
The content on this web site is provided for general information purposes only and does not constitute legal or other professional advice or an opinion of any kind. Users of this web site are advised to seek specific legal advice regarding any specific legal issues. Inter Alia does not warrant or guarantee the quality, accuracy or completeness of any information on this web site. The articles published on this web site are current as of their original date of publication, but should not be relied upon as accurate, timely or fit for any particular purpose.