Investigation into Home Depot of Canada Inc.’s compliance with PIPEDA

PIPEDA Findings # 2023-001

January 26, 2023

---

Overview

The Complainant alleged that Home Depot of Canada Inc. (“Home Depot”) disclosed his personal information to Facebook (now Meta Platforms, Inc., “Meta”) without his knowledge and consent. Specifically, the complainant claimed that while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases made at Home Depot.

Home Depot confirmed to our Office that it was in fact sending in-store customers’ data to Meta through a business tool known as “Offline Conversions”, which allows businesses to measure the effectiveness of Meta ads. Specifically, Home Depot forwards the customer’s hashed^{Footnote 1} email address and off-line purchase details to Meta when the customer provides their email address to Home Depot, at check-out, to obtain an e-receipt. Meta then matches the email to the customer’s Facebook account. If the customer has a Facebook account, Meta compares offline purchase information to ads delivered to the customer on Facebook, to measure effectiveness of those ads, and provides results of that analysis back to Home Depot in the form of an aggregated report. Meta can also use the customer’s information for its own business purposes, including targeted advertising, unrelated to Home Depot.

Contrary to Home Depot’s assertion, neither its Privacy Statement nor that of Meta were sufficient to obtain implied consent for its disclosure to Meta of the personal information of in-store customers requesting an e-receipt. The Home Depot privacy statement would not have been readily available to customers at the time of purchase, and in any event did not provide a clear explanation of the practice in question. Furthermore, customers would have no reason to check Meta’s privacy statement in the context of providing their email address to Home Depot.

As a consequence, we found that while the information in question in this specific context (i.e., high-level Home Depot purchase information, such as “lumber” or “hardware”) is not generally sensitive, customers would not reasonably expect Home Depot to disclose that information to Meta, such that Home Depot should have obtained express opt-in consent for the practice.

In response to recommendations by our Office, Home Depot committed to implement our recommendations and discontinued the use of Meta’s Offline Conversions Tool in October 2022. We appreciate Home Depot’s cooperation throughout our investigation and its commitment to enhancing privacy through acceptance of our recommendations.

We, therefore, deem this complaint to be well-founded and resolved.

Complaint and Background

1. The Office of the Privacy Commissioner (“OPC”) received a complaint from an individual alleging that Home Depot contravened the Personal Information Protection and Electronic Documents Act (the “Act”) by disclosing his personal information to Meta without his knowledge and consent. Specifically, the complainant claimed that while he was deleting his Facebook account, he learned that Meta had a record of most of his in store purchases made at Home Depot. This information was available in the ‘Off-Facebook Activity’ section of his Facebook account^{Footnote 2}. The Complainant attempted to resolve this matter with Home Depot, but was dissatisfied with their response, wherein they incorrectly advised that they had not shared his information with Meta^{Footnote 3}.
2. In investigating this matter, our Office sought representations from Home Depot directly, as well as from Meta, as a third party to this investigation.
3. Based on the submissions from both parties, we learned that since 2018, Home Depot has been using a business tool provided by Meta, known as “Offline Conversions”. Meta describes this tool as allowing businesses to measure the extent to which Facebook ads lead to real-world outcomes such as purchases in stores. Specifically, businesses can send Meta in-store transaction data through Offline Conversions to: (i) understand how much of their offline activity can be attributed to ads; (ii) measure the offline return on ad spending; and (iii) reach people offline and show ads to people based on the actions they take offline. We noted as well, in the online materials referenced by Meta, that Meta can also use information obtained via Offline Conversions to create lookalike audiences to deliver ads across Meta technologies to people with a similar profile to existing offline customers^{Footnote 4}.
4. Home Depot explained that Meta acts as a service provider to them by processing the information sent by Home Depot and providing it back in aggregated form. This enables Home Depot to measure the effectiveness of an advertising campaign on Meta’s platforms, and its impact on in-store sales.
5. Home Depot further specified that the data they send to Meta through Offline Conversions relates only to in-store customers who requested an e-receipt for their purchase, and not to those who asked for a paper receipt.^{Footnote 5}
6. In practice, Home Depot customers are presented with an on-screen option to receive an e-receipt. If they click “yes”, they are then directed by the system to provide their email address. At no point in this process is reference made to Home Depot’s data sharing with Meta.
7. Home Depot then forwards the customer’s hashed email address and off-line purchase details to Meta through Offline Conversions. Meta matches the email to the customer’s Facebook account and compares offline purchase information to ads delivered to the customer on Facebook, to measure effectiveness of those ads. If the hashed email is not already associated with a Facebook account, Meta cannot link it to an individual.
8. Meta ultimately provides aggregated reports to Home Depot, including the store sales that can be attributed to a specific advertising campaign.

Analysis

Issue: Did Home Depot obtain valid consent?

9. Principle 4.3 of Schedule 1 of PIPEDA requires knowledge and consent for the collection, use and disclosure of personal information, except where inappropriate.
10. As explained in more detail below, when Home Depot sends Meta in-store transaction data through Offline Conversions, this represents a disclosure of personal information.
11. For the reasons that follow, we find that Home Depot failed to ensure valid consent for such disclosure. In coming to this determination, our Office considered: (i) the appropriate form of consent for this practice; and (ii) the meaningfulness of consent in the context at hand.

Disclosure of personal information to Meta

12. We found that Home Depot disclosed customer personal information to Meta and contractually authorized Meta to use that information both on behalf of Home Depot and for its own business purposes, including for purposes unrelated to the provision of services to Home Depot.
13. Home Depot stated that Meta acts as a service provider to Home Depot by “doing externally what Home Depot could have done internally”. Home Depot views this practice as a processing activity that does not require additional consent. For the reasons outlined below, we do not agree.
14. Both Home Depot and Meta submitted that Offline Conversions is subject to the Facebook Business Tools Terms (“Terms”) in place since May 2018. This is an agreement between Meta and the business client, in this case Home Depot. Section 2 of the Terms sets out the purposes for which Meta may use the personal information a business chooses to send to Meta, including: (1) for measurement and analytics services; (2) for targeting ads; (3) to deliver commercial and transactional messages; and (4) to improve ad delivery and personalize features and content as well as to improve and secure the Meta products.^{Footnote 6}
15. In particular, paragraph 2. v. 1 of the Terms says:
    

    “You may provide Event Data to improve ad targeting and delivery optimization of your ad campaigns. We may correlate that Event Data to people who use Facebook Company Products to support the objectives of your ad campaign, improve the effectiveness of ad delivery models, and determine the relevance of ads to people. We may use Event Data to personalize the features and content (including ads and recommendations) that we show people on and off our Facebook Company Products. In connection with ad targeting and delivery optimization, we will: (i) use your Event Data for delivery optimization only after aggregating such Event Data with other data collected from other advertisers or otherwise collected on Facebook Products; and (ii) not allow other advertisers or third parties to target advertising solely on the basis of your Event Data.” [emphasis added]

16. Although Home Depot submitted that these potential uses are directly to their benefit (e.g., improving the effectiveness of their ads on Facebook), we find that they go far beyond Home Depot’s business purposes and the purposes understood by the customer. As confirmed by Meta, they involve the disclosure of Home Depot customer data to Meta to be used for its own business purposes, such as optimizing the effectiveness of ad delivery models or personalizing the features and content that they show on Meta’s platforms. Therefore, Home Depot must obtain consent for this disclosure.
17. For the reasons set out below, we found that Home Depot failed to ensure valid meaningful consent for its practice of sharing customer information with Meta for Home Depot’s and Meta’s purposes. First, we did not accept Home Depot’s assertion that it had obtained implied consent for the practice: it could not rely on its privacy policy and/or that of Meta to obtain consent, and in any event, the explanations provided in those policies were insufficient to support meaningful consent. Further, it is our view that the company should have obtained express opt-in consent.

Form of consent

18. Principle 4.3.4 of Schedule 1 of PIPEDA provides that the form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information.
19. Principle 4.3.5 further states that on obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained.
20. The Guidelines for obtaining meaningful consent (the “Guidelines”) jointly issued by the OPC, the Office of the Information and Privacy Commissioner of Alberta and the Office of the Information and Privacy Commissioner for British Columbia further provide that “organizations must generally obtain express consent” when: (i) the information being collected, used or disclosed is sensitive; (ii) the collection, use or disclosure is outside of the reasonable expectations of the individual; and/or (iii) the collection, use or disclosure creates a meaningful residual risk of significant harm.
21. Home Depot submitted that it obtained implied consent in a dual manner, through:
    1. The Home Depot Privacy and Security Statement (“Privacy Statement”); and
    2. Meta’s Privacy Policy, privacy educational materials, and privacy settings relating to Offline Conversions and its Off-Facebook feature.^{Footnote 7}
22. Home Depot specified that “bearing in mind the risk of ‘consent fatigue’ that can arise if every single processing activity is disclosed at every juncture, [they] do not provide a just-in-time notification” at the time customers ask for an e-receipt. As mentioned above, customers are simply presented, on the screen of the system processing the purchasing transaction, with the option to receive an e-receipt. If they click “yes”, they are then directed by the system to provide their email address.
23. Home Depot further represented that the reasonable expectations of their customers are considered in the design of the program, which limits the collection to a minimal set of non-sensitive personal information, and provides customers with the ability to withdraw their consent for this practice through either or both of Home Depot (by sending an email to the company, as the complainant did in this case) or Meta^{Footnote 8}, which, in our view, is a further indication that the information has been disclosed to Meta.
24. Moreover, Home Depot explained that, when using Offline Conversions, they upload the following data elements into the Meta media platform:
    1. Customer hashed email;
    2. Date/time of the purchase;
    3. Transaction ID;
    4. Sales dollar amount; and
    5. Custom variables for product information and type of transaction, which refer to the general department of the transaction, such as “lumber”, “hardware” or “paint”.
25. Home Depot stated that they relied on implied consent, since, in its view: (i) the company had taken the precaution of uploading only non-sensitive information to Meta’s Offline Conversion Tool; and (ii) customers would reasonably expect such non-sensitive information to be provided to the social media platform Home Depot is using to deliver online ads, for ad efficiency analysis conducted on an aggregated basis.
26. We find that Home Depot did not obtain customers’ implied consent for the practice at hand. Specifically: (i) most customers would be completely unaware of the practice, and as outlined below, would not reasonably expect it; and (ii) customers’ conduct of providing their email address to obtain an e-receipt cannot be implied to constitute permission for the information to be used by Home Depot for secondary purposes, let alone for disclosure to Meta to be used for its own separate business purposes (discussed further in para. 30).
27. In any event, we find that Home Depot could not have relied on implied consent for the practice.
28. We accept that in the specific context of Home Depot’s use of Meta’s offline conversion tool, the data in question may not be sensitive.
29. However, this does not preclude the possibility that offline purchases and spending patterns can be sensitive and raise a meaningful risk of harm in other retail contexts. Furthermore, it is possible that this information will become sensitive in the context where it is shared with Meta to be combined with other information they hold, to create a rich multi-dimensional profile about the individual.
30. While the information in question may not have been sensitive in the circumstances of this case, we find that when requesting an e-receipt in-store, Home Depot customers would not reasonably expect, or have any reason to suspect, that their email address and off-line purchase details would be shared with Meta for the purpose of measuring the impact of Home Depot’s online advertising campaigns. Nor would they reasonably expect that this same information be disclosed to Meta, the world’s largest social media company and one of the world’s largest online advertising platforms, to be used for Meta’s own business purposes, including targeted advertising, unrelated to Home Depot (as outlined in paras. 14 and 15).
31. Ultimately, we find that Home Depot should have obtained express consent, at or before the time of collection, for these purposes.
32. Our Guidelines further explain that individuals cannot be required to consent to the collection, use or disclosure of personal information unless it is integral to the provision of the product or service – they must be given a choice, and that choice must be clearly explained and easily accessible.
33. Home Depot customers are not presented, at the time of providing their email, with a choice whether or not to have their information shared with Meta, for Home Depot’s secondary purposes or Meta’s purposes unrelated to those of Home Depot.
34. Home Depot indicated that individuals could withdraw their consent to this practice by either: (i) sending an email to Home Depot requesting that their email address be disassociated from their Home Depot account; or (ii) disconnecting from their Facebook account any data sent to Facebook by third parties^{Footnote 9}. However, as detailed further above, individuals are unlikely to be aware that their information is being shared with Meta. As such, they would have no reason to make such a request to either Home Depot or Facebook.
35. In any event, the ability to withdraw consent after the fact is not sufficient in this case. At that point, the customer’s information will have already been disclosed to Meta. Given the requirement for express consent, this choice should have been offered upfront, at the time of collection, in the form of an opt-in choice, before the information is shared with Meta.

Meaningfulness of consent

36. Furthermore, we do not accept Home Depot’s reliance on its Privacy Statement and Meta’s Privacy Policy as being sufficient to support meaningful consent to the disclosure of in-store customers’ personal information to Meta.
37. Principle 4.3.2 of Schedule 1 of PIPEDA provides that an organization must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. In addition, section 6.1 of PIPEDA requires that for consent to be valid, it must be reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use, or disclosure of the personal information to which they are consenting.
38. Additionally, the Guidelines provide that individuals should be made aware of all purposes for which information is collected, used or disclosed. These purposes must be described in meaningful language, avoiding vagueness like ‘service improvement’, and should not be buried in a Privacy Policy or terms of use as it serves no practical purpose to individuals with limited time and energy to devote to reviewing privacy information.
39. Finally, the Guidelines state that in order for consent to be considered valid, or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner. This means that organizations must provide information about their privacy management practices in a form that is readily accessible.
40. Home Depot represented that their Privacy Statement is available, in printed form, at all their locations, and is linked to on all pages of their website. In-store customers can make a request for a printed copy of the Privacy Statement to any of the store associates.
41. Home Depot further submitted that their Privacy statement describes: (i) the type of information they collect, which includes “purchase history” and “email addresses”; (ii) in what circumstances they collect that information directly from customers, which includes “in connection with an online or in-store purchase”; and (iii) how they use it for their business purposes, which includes “to improve [their] products and services”, to look at “trends and customer interests” and “for de-identification purposes”. With regard to the latter, the Privacy Statement specifies that Home Depot uses "de-identified information for internal business purposes, such as marketing, customer service, and business analytics”. Finally, the Privacy Statement also states that they “may share information for [their] business purposes”, including “with third parties who perform services on our behalf”.
42. With regard to Meta’s Privacy Policy, Home Depot highlighted that the policy explains that partners (such as Home Depot) use business tools to provide information about “online and offline actions and purchases”.
43. First, we note that when requesting an e-receipt, customers are neither notified of the disclosure of their personal information to Meta, nor directed to Home Depot or Meta’s privacy statements. Their expectation is limited to simply what they have been told, i.e., they will receive an e-receipt of their transaction. We therefore find that customers would have no reason to refer to the aforementioned privacy documents to obtain further information on a practice they are unaware of. Yet, Home Depot’s consent model places the onus on customers to proactively seek out these policies online or request a printed copy from a store associate. This in no way constitutes Home Depot making ‘reasonable efforts’ – within the meaning of principle 4.3.2 – to ensure that customers are advised of the purposes for which their information will be used and disclosed. Consequently, Home Depot cannot rely on its Privacy Statement, and/or that of Meta, to support meaningful consent for the practice at hand.
44. Home Depot referenced “consent fatigue” as a rationale for why, at the time the customer requests an e-receipt, it did not notify customers of its practices vis-à-vis sharing information with Meta. To that point we would note that Home Depot did not provide any explanations, at this point-of-sale, regarding how it would use or disclose customer information for purposes other than to send them an e-receipt. Given the nature of the use and disclosure in question, as described above, this information would have been material to the customers’ decision whether or not to provide their email address to obtain an e-receipt.
45. Furthermore, even if customers requesting an e-receipt were to read Home Depot’s Privacy Statement, we do not believe that they would reasonably understand the nature of the information sharing with Meta, or the consequences of this practice. Indeed, the Privacy Statement uses generic and vague terms such as “improve our products and services”, which do not clearly describe the purposes for the collection, use and disclosure of personal information in this context. Home Depot’s statement that it “may share [customer] information for [their own] business purposes”^{Footnote 10} does not reflect the practice at hand with sufficient precision, and certainly does not explain that customer information may be disclosed to Meta for the purposes described above. [Emphasis added]
46. For all the above reasons, we are of the view that Home Depot failed to obtain valid meaningful consent for its disclosure of customer information to Meta, to be used for Meta’s own purposes.

Recommendations

47. With a view to bringing Home Depot into compliance with PIPEDA, we recommended that the organization:
    1. Cease disclosing, to Meta, personal information of customers requesting an e-receipt, until such time that it implements measures to ensure valid consent;
    2. Should it choose to recommence its practice of sharing customer information with Meta via Offline Conversions, implement measures to obtain express, prior opt-in consent for the practice;
    3. Amend privacy communications to ensure transparent messaging and meaningful consent for this practice, by:
       1. providing key information up front, at the time customers request an e-receipt, including: (i) what information will be disclosed to Meta; (ii) that it will be used for the purpose of measuring the effectiveness of Home Depot’s Facebook advertising campaigns; (iii) that the information will also be used by Meta (Facebook) for its own purposes, including targeting; and (iv) that customers have the option to withdraw consent at a later time; and
       2. including in its Privacy Statement a more detailed explanation of the practice, and how to withdraw consent.

Home Depot’s response to the recommendations

48. In response to our recommendations, Home Depot discontinued the use of Meta’s Offline Conversions Tool in October 2022, thereby complying with our recommendation in para. 47(i). Home Depot also confirmed that should it decide to re-engage with the use of this Tool, it would implement recommendations in para. 47(ii) and (iii) prior to doing so.
49. We appreciate Home Depot’s cooperation throughout our investigation and its commitment to enhancing privacy through acceptance of our recommendations.

Conclusion

50. Accordingly, our Office concludes the matter to be well-founded and resolved.