ONE COMPLAINT SHEDS LIGHT ON COVERT DATA FLOWS

SHOCKING REVEAL OF HOW OUR DATA GETS AROUND IN THE RETAIL SECTOR

Recent privacy concerns regarding Home Depot’s sharing of personal data between 2018 and October 2022 with Meta, which operates social media giants Facebook and Instagram is clearly a widespread issue that has alarmed privacy regulators and the public. At the end of January, Canadian Privacy Commissioner Philippe Dufresne issued a news release regarding his Office’s investigation of Home Depot’s lack of transparency and customer consent.

As part of Meta Platforms Inc.’s Offline Conversions program, retailers share details from electronic receipts, including encoded email addresses and in-store purchase information, with Meta who employs an automated process that allowed it to match email addresses attached to Facebook accounts. If a Facebook account exists, Meta then uses the data to analyze how on-line ads lead to purchases in brick-and-mortar stores and provides much sought after reports on ad effectiveness back to the retailer. All of this occurs without the knowledge of the retailer’s customers.

The program’s contract terms also allow Meta to use a customer’s information for its own business purposes, including user profiling and targeted advertising unrelated to the retailer.

IT ONLY TAKES ONE CUSTOMER COMPLAINT

The Office of the Privacy Commissioner of Canada (OPCC) was alerted to the issue by a man who complained that while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases at Home Depot. He went to the OPCC when Home Depot incorrectly told him that they had not shared his information with Meta.

Many significant privacy issues and troubling data flows that have been going on for years are often highlighted by just one concerned individual. This case is a perfect example of this and is now causing ripples throughout the retail sector.

In my own privacy assessment work where I dig at behind-the-scenes data flows, I find that the marketing department may be using a plethora of data analytics techniques involving questionable data flows that are often unknown to compliance or legal departments. It is highly likely that Home Depot’s initial quick response to this one individual was due to such lack of oversight and transparency within the organization.

HOME DEPOT RESPONSE

A spokesperson for Home Depot then said only non-sensitive information, such as the department in which a purchase was made, was used as part of the Meta program. Dufresne rightfully pointed out in a news conference that even knowing when and how often a person buys an item can expose personal details. With large volumes of linkable personal data available from a variety of sources, detailed profiles have become a hot commodity for marketers.

It is critical for organizations to remain accountable for the data they control, ask their marketing teams appropriate questions, understand data sources and assess whether compliance with privacy laws is being compromised.

Home Depot also told the OPCC that it relied on implied consent and that its privacy statement, available on its website, explained that it “may share information for business purposes,” including “with third parties”. The Commissioner found this was ultimately insufficient to support meaningful consent. Not only were the privacy statements vague, but they were clearly not readily available to customers at the check-out counter, and consumers would have no reason to seek them out.

When customers were prompted to provide their e-mail address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.

An organization’s responses to key questions during a privacy investigation are indicative of their understanding of privacy considerations, commitment to protecting personal information and the maturity of their privacy program.

FINAL REMARKS

The bigger question from a public policy perspective is whether in fact the onus should be placed on customers to understand the complex flow of data that is collected about us all, and stay informed about consent options. Or should businesses be held to a standard of care with their data holdings and be expected to do what’s fair and appropriate? And whose perspectives on what ‘doing the right thing’ looks like should we be paying attention to anyways? Under tort law we rely upon a ‘reasonable person test’ but as long as privacy statues remain consent based in Canada, the privacy regulators must make assessments regarding meaningful consent. That will continue to be impractical and onerous on the individual, as well as allow organizations to continue mining data without turning their minds to the critical more philosophical questions of whether their practices are appropriate or ethical in the first place. Even the proposed Consumer Privacy Protection Act under Bill 27 that is at second reading and will eventually replace PIPEDA remains a consent-based law.

A class action lawsuit has been launched by a Regina lawyer against Home Depot. Although certification of cybersecurity class actions has become more challenging in the past few years, for example, it is unlikely the 2014 malware attack Home Depot experienced that resulted in credit card data theft would be certified today. However, this issue of data sharing without consent has a good chance of being certified as a class action and thus creeping forward. This will further the discussion and at least nudge businesses in the right direction with respect to transparency.

To learn more about hot topics in privacy and how to navigate the Canadian privacy legal framework, contact PRIVATECH.

Also, now is a great time to become a recognized privacy professional! Earn your CIPP/C, CIPP/US or CIPM designation and train with us to prepare for your certification!