Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Canada: OPC finds Home Depot in violation of PIPEDA for sharing customers' personal data without consent
The Office of the Privacy Commissioner of Canada ('OPC') published, on 26 January 2023, its Report of findings No. 2023-001, as issued on the same date, in which it found that Home Depot of Canada Inc. had violated Principles 4.3 of Schedule 1 of the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), following a complaint.
Background to the report
In particular, the OPC outlined that the complainant alleged that Home Depot contravened PIPEDA by disclosing their personal information to Meta Platforms, Inc., without their knowledge and consent. Specifically, the OPC explained that the complainant claimed that, while they deleted their Facebook account, they learned that Meta had a record of most of their in-store purchases made at Home Depot.
Findings of the OPC
Following its investigation, the OPC found that Home Depot failed to ensure valid meaningful consent for its practice of sharing customer information with Meta for Home Depot's and Meta's purposes. On this point, the OPC explained that it did not accept Home Depot's assertion that it had obtained implied consent for the practice, noting that it could not rely on its privacy policy and/or that of Meta to obtain consent, and in any event, the explanations provided in those policies were insufficient to support meaningful consent. In this regard, the OPC highlighted that, in its view, Home Depot should have obtained express opt-in consent, at or before the time of collection.
More specifically on implied consent, the OPC detailed that most customers would be completely unaware of the practice, and would not reasonably expect such data sharing. Additionally, the OPC clarified that customers' conduct of providing their email address to obtain an e-receipt cannot be implied to constitute permission for the information to be used by Home Depot for secondary purposes, let alone for disclosure to Meta to be used for its own separate business purposes.
Outcomes
In light of the above, the OPC made a number of recommendations to Home Depot, in view to bring them into compliance with PIPEDA, namely:
- not disclosing, to Meta, personal information of customers requesting an e-receipt, until it implements measures to ensure valid consent;
- implement measures to obtain express, prior opt-in consent, should it choose to recommence its practice of sharing customer information with Meta via offline conversions;
- amend privacy communications to ensure transparent messaging and meaningful consent for this practice, by:
- providing key information up front, at the time customers request an e-receipt, including:
- what information will be disclosed to Meta;
- that it will be used for the purpose of measuring the effectiveness of Home Depot's advertising campaigns of Meta's service Facebook;
- that the information will also be used by Facebook for its own purposes, including targeting; and
- that customers have the option to withdraw consent at a later time; and
- including in its privacy statement a more detailed explanation of the practice, and how to withdraw consent.
- providing key information up front, at the time customers request an e-receipt, including:
Finally, the OPC noted that in response to its recommendations Home Depot discontinued the use of Meta's offline conversions tool in October 2022, confirming that should it decide to re-engage with the use of the conversion tool, it would implement recommendations as outlined above.