Imagine you have just gone shopping and you are at the Til paying for your purchases and the clerk asks “would you like us to email your receipt?” Most of us would say yes because being paperless is environmentally friendly and looking out for Climate Change, did you give the store the right to share your email address and a list of the items you bought with a third party? Canada Privacy Commission was asked that same question when Homedepot shared customer information with Meta the company that owns Facebook and Instagram. Remarketing and Marketing Surveillance is a huge practice on the internet and now we are starting to see this [practice happen in stores. We know that when a business asks for an email and phone number because it is the first shopping there that we have been added to a list. The practice of sharing or selling information should that be a violation of privacy and what should the consequences be for breaching the public trust? Right now the Canada Privacy Commission can tell a business that these practices are wrong but what more can they do about?
From the Canada Privacy Commission
Good morning and thank you for being here today.
My name is Philippe Dufresne, and I am the Privacy Commissioner of Canada.
My mandate is to protect and promote individuals’ privacy rights in the public and private sectors, and to ensure that organizations respect their privacy obligations. My Office investigates complaints, provides advice to government departments and private sector organizations, promotes public awareness of privacy issues, and provides advice and recommendations to Parliament on law reform and privacy matters of public interest and importance.
Since my appointment last June, I have met with key stakeholders from across Canada representing government, businesses, civil society, consumers, academics, and equity-deserving groups. One of the recurring themes of the discussions was this: protecting privacy in our increasingly digital world is one of the key challenges of our time.
As Privacy Commissioner of Canada, I fully intend to meet this challenge and in doing so, I will apply the three elements of my vision for privacy, which are:
- First, privacy is a fundamental right. It must be legally protected with a strong, fair, accessible and enforceable rights-based regime that offers meaningful remedies to prevent and address violations, and that acts as an incentive for institutions to create a culture of privacy with privacy by design, and privacy by default.
- Second, privacy supports the public interest and Canada’s innovation and competitiveness. It is not an either-or proposition. Organizations that consider privacy implications at the outset of any innovation or initiative, and that make it easy for Canadians to choose privacy protection as the default setting, will find that it is ultimately more cost-efficient and effective, and those costs will become investments that are good for consumers, businesses, public policy, and innovation alike.
- Third, and finally, privacy accelerates the trust that Canadians have in their institutions. When individuals are reassured that their privacy is being sufficiently protected, they feel confident about participating freely in the digital economy.
These three pillars reflect the reality that Canadians want to be active and informed digital citizens, able to fully participate in society and the economy without having to choose between this participation and their fundamental privacy rights.
As you know, this week is Data Privacy Week, and today we have released the results of our investigation into Home Depot Canada’s sharing of customer information with Meta Platforms, which operates Facebook. Our key finding, and an important reminder for all organizations, is that when a customer chooses to receive an electronic receipt instead of a printed one, they are not consenting to have their personal information shared with third parties.
Since at least 2018, Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt.
It is a question that I am sure all of us recall having been asked at one point or another, “Would you like a printed or email receipt?” When offered this choice, most customers likely understand that this is for their benefit and convenience in this increasingly digital world. Canadians would likely not expect or accept that their personal information would be shared with a third party, like Facebook, simply because they opted for an email receipt.
However, my Office’s investigation following a complaint under the Personal Information Protection and Electronic Documents Act revealed that Home Depot sent these email addresses, in a coded format, along with high-level details about each customer’s in-store purchases, to Meta, who would then use this information to determine if a customer had a Facebook account. If they did, Meta would compare the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta could also use the information for its own business purposes, including user profiling and targeted advertising that was unrelated to Home Depot. While each email address that Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook, Meta employed an automated process that allowed it to match email addresses attached to individual Facebook accounts.
When Home Depot customers were prompted and agreed to receive an e-receipt, they were never informed that their information would be shared with Meta, or how it would be used by either company. This is where Home Depot fell short. Consumers need clear information at key transaction points so that they can make informed decisions about how their personal information should be used and provide meaningful consent.
I am pleased to share that in response to the recommendations in our report, Home Depot has discontinued this practice as of October 2022. Home Depot has also confirmed that it would obtain express and meaningful opt-in consent should it put in place a similar practice in the future.
This represents a very concrete and positive outcome for Canadians.
Personal information is a core part of who we are as individuals, and respecting privacy rights is essential to our dignity and fundamental freedoms. Organizations should not trivialize the use of personal information. While our investigation dealt with an individual case, our overall conclusions would apply to any organization that has a similar practice with respect to e-receipts. This report is a reminder to all companies, as they increasingly look to deliver services online and offer e-receipts, that they must be clear and transparent about how and why they are asking for consumers’ personal information, and that they must obtain meaningful consent from their consumers before sharing this information with third parties. Doing so is not only required by privacy law, it is also an important investment in the trust that Canadians have in the digital economy.
Data Privacy Week is also an opportunity to encourage Canadians to always ask companies why and for what purpose their personal information is being sought, even if the request appears to be straightforward.
Listen More of our Podcast
Please Visit Our Sponsors