Many businesses use Facebook advertisements to market products and services to potential clients. Facebook (whose parent company is Meta) provides services to businesses that allow them to track the return on investment for the ads placed on the social media platform. The Office of the Privacy Commissioner of Canada (OPC) released a recent decision that may result in many businesses having to revise their privacy statements, as well as getting explicit consent from customers to provide information to this online advertising giant.
The OPC conducted an investigation into the information disclosed by Home Depot to Meta when customers chose to receive an e-receipt after making a purchase in-store. The investigation was prompted by a complaint made by a customer who discovered, when deleting his Facebook account, that Meta had a record of most of his purchases made at Home Depot.
Home Depot was utilizing a Meta tool called “Offline Conversions”, which allowed businesses to measure how effective its Meta ads were in converting ads to sales. When a customer selected receiving an e-receipt at checkout, they were prompted to provide their email address. Home Depot would send the customer’s information to Meta, which would compare general purchase information (described below) to the ads delivered to the customer on Facebook. Meta would provide a report back to Home Depot with aggregated results. In addition to the advertisement analysis to Home Depot, Meta was able to use the customer’s information for its own business purposes. At no point in the e-receipt process was the Home Depot customer advised that their information would be provided to Meta.
Home Depot provided the following information to Meta: (1) customer hashed email address; (2) date/time of purchase; (3) transaction identification; and (4) custom variables for product information and type of transaction, which referred to the general department of the transaction, such as “lumber”, “hardware” or “paint”.
The OPC found that Home Depot failed to obtain meaningful consent from its customers to permit it to provide their personal information to Meta and should have obtained express opt-in consent from them. Specifically, most customers would be completely unaware of Home Depot’s information-sharing practice with Meta, nor would they reasonably expect it. Further, the act of providing an email address in order to obtain an e-receipt cannot be implied to constitute permission to provide personal information for the business purposes of either Home Depot or Meta. The OPC considered that the personal information exchanged was not overly sensitive in the circumstances:
While the information in question may not have been sensitive in the circumstances of this case, we find that when requesting an e-receipt in-store, Home Depot customers would not reasonably expect, or have any reason to suspect, that their email address and off-line purchase details would be shared with Meta for the purpose of measuring the impact of Home Depot’s online advertising campaigns. Nor would they reasonably expect that this same information be disclosed to Meta, the world’s largest social media company and one of the world’s largest online advertising platforms, to be used for Meta’s own business purposes, including targeted advertising, unrelated to Home Depot…
Home Depot tried to rely on its Privacy Statement, available online and in hard copy at each location, as well as Meta’s Privacy Policy as being sufficient to support its obligation to obtain the meaningful consent of its customers to disclose their personal information to Meta. The OPC took issue with the fact that no reference was made to either company’s privacy statement when a customer was asked to provide their email address for an e-receipt, and even if it were, they would not reasonably appreciate the nature of the information sharing with Meta, or the consequences of it.
Interestingly, Home Depot relied on “consent fatigue” as a reason for why it did not notify customers about their information-sharing practice with Meta when providing their email address. No weight was given to this rationale by the OPC; the nature of the subject use and disclosure of information was material to a customer’s decision as to whether to provide their email address to receive an e-receipt.
Practically speaking, what does this decision mean for businesses? There are a few things to be mindful of when leveraging social media advertising analysis to evaluate marketing campaigns. Reliance cannot be placed on general wording in a privacy statement about the disclosure of personal information to third parties, especially when that information will be used by the third party for its own purposes. Businesses also need to ensure that they understand how third parties will use client personal information they provide to them. Ignorance will not cut it, nor will the “well, everyone else is doing it” assumption that a third party has appropriate data practices in place.
Click here for the full OPC PIPEDA Findings #2023-001 Decision: Investigation into Home Depot of Canada Inc.’s compliance with PIPEDA.
Alysia M. Christiaen is available to assist businesses evaluateing their consent, data management and personal information disclosure practices, as well as negotiate data protection agreements with third-party service providers.