By Esther Shainblum and Martin U. Wissmath

Home Depot Stops Sharing Customer Purchase Data with Facebook After OPC Investigation

Home Depot of Canada Inc. (“Home Depot”) discontinued its participation in an advertising program with Meta Platforms Inc. (“Meta”), the company that owns and operates Facebook, following a federal privacy commissioner investigation that found that Home Depot had failed to obtain valid consent from its customers in contravention of Canada’s privacy legislation. The Office of the Privacy Commissioner of Canada (OPC) published its findings from the investigation on January 26, 2023 (the “Findings”), along with a statement from the privacy commissioner and a news release. According to the Findings, a complainant alerted the OPC that “while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases made at Home Depot” (the “Complainant”). Home Depot then confirmed to the OPC that it shared customers’ encoded email addresses and in-store purchase information obtained from e-receipts with Meta as a means of measuring the effectiveness of online advertisements since at least 2018. The OPC found that the lack of meaningful customer consent was not compliant with Principle 4.3 in Schedule 1 of the federal Personal Information and Electronic Documents Act (PIPEDA).

As stated in the Findings, “Principle 4.3 of Schedule 1 of PIPEDA requires knowledge and consent for the collection, use and disclosure of personal information, except where inappropriate.”. As the OPC investigated, it learned that Home Depot had been using a business tool provided by Meta, known as “Offline Conversions” which measured “the extent to which Facebook ads lead to real-world outcomes such as purchases in stores.” Meta could also use the customer data from Home Depot to “create lookalike audiences to deliver ads across Meta technologies to people with a similar profile to existing offline customers.” In signing up for an e-receipt, Home Depot customers were presented with an on-screen option they could click “yes” to, and provide their e-mail address, but at no point in the process was the customer informed that Home Depot shared their data with Meta. The two companies had been sharing customer data as part of a business agreement since May 2018.

The Findings note that Principle 4.3.5 of Schedule 1 “states that on obtaining consent, the reasonable expectations of the individual are also relevant.” Referring to the Guidelines for Obtaining Meaningful Consent, the Findings also note that organizations must generally obtain express consent when, among other factors, “the collection, use or disclosure is outside of the reasonable expectations of the individual” (paragraph 20).

Paragraph 30 of the Findings states:

While the information in question may not have been sensitive in the circumstances of this case, we find that when requesting an e-receipt in-store, Home Depot customers would not reasonably expect, or have any reason to suspect, that their email address and off-line purchase details would be shared with Meta for the purpose of measuring the impact of Home Depot’s online advertising campaigns. Nor would they reasonably expect that this same information be disclosed to Meta, the world’s largest social media company and one of the world’s largest online advertising platforms, to be used for Meta’s own business purposes, including targeted advertising, unrelated to Home Depot[.]

Home Depot submitted that it obtained implied consent through both its own privacy statement and the Meta privacy policy. The OPC found that Home Depot did not obtain customers’ implied consent for the practice because most customers were completely unaware of the practice and would not reasonably expect it. Further, the OPC found that Home Depot could not have relied on implied consent for this program.

Ultimately the OPC found that Home Depot should have obtained express consent, at or before the time of collection, for these purposes (paragraph 31).

The OPC was not persuaded that Home Depot’s privacy statement and Meta’s privacy policy were sufficient to support meaningful consent to the disclosure of in-store customer information to Meta. To comply with Principle 4.3.2 of Schedule 1, “an organization must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.” The OPC found that customers would have had no reason to refer to those privacy policies to obtain further information on a practice they were unaware of. It also found that Home Depot did not provide any explanations at the point of sale regarding how it would use or disclose customer information, other than to provide an e-receipt.

The OPC therefore found that Home Depot had failed to obtain valid, meaningful consent for its disclosure of customer information to Meta to be used for Meta’s own purposes.

The OPC recommended that Home Depot obtain “express, prior opt-in consent” and include a more detailed explanation in its privacy statement about the practice of sharing customers’ personal information with Meta. In response, Home Depot discontinued the use of Meta’s “Offline Conversions” tool and confirmed that it would implement the OPC’s recommendations if it decided to resume the practice.

This case is instructive for all organizations, including charities and not-for-profits, regarding what constitutes valid, meaningful consent. As we have previously advised, charities and not-for-profits should look to PIPEDA, and the rulings of the OPC as best-practices for the handling of personal information, including donor and membership information.

​Read the February 2023 Charity & NFP Law Update