Canada: First OPC Ruling For 2023 Will Impact Third-Party Processor Contracts

The Office of the Privacy Commissioner of Canada (OPC) recently released findings stemming from a customer complaint that Home Depot of Canada (Home Depot) had violated the Personal Information Protection and Electronic Documents Act (PIPEDA) by disclosing customers' personal information to Facebook's parent, Meta Platforms Inc. (Meta), without customers' knowledge and consent.

As explained in the findings, released on January 26, 2023, between 2018 and October 2022, Home Depot was sending in-store customers' hashed email addresses and offline purchase details to Meta using a tool known as "Offline Conversions." Meta then used this information to measure and report to Home Depot regarding the effectiveness of ads delivered to the same customers on Facebook. The language of Meta's standard terms for use of the tool was broad enough to permit Meta to use the customer information for Meta's own business purposes unrelated to Home Depot.

The OPC concluded that Home Depot's sharing of customer information with Meta constituted a disclosure to a third party under Canada's privacy law and that customers would not have reasonably expected such disclosure. The OPC found that Home Depot therefore should have obtained customers' express opt-in consent to the practice at or before the time of collection.

The findings - the first released by the OPC in 2023 - provide important insight into the OPC's current position on the required form of consent, the extent of disclosure needed to obtain meaningful consent and the permissibility of using personal information for secondary purposes. They also provide a caution on vague or permissive language in third-party service provider contracts.

Key Takeaways for Businesses

• When determining the form of consent to use - particularly when deciding whether implied consent can be relied upon - consider both the sensitivity of the information at issue and the reasonable expectations of the relevant individuals.
• Obtaining valid meaningful consent to the collection, use or disclosure of personal information requires both making reasonable efforts to advise the individual of the purposes for which the information will be used and ensuring that it would be reasonable to expect that the individual understands the nature, purposes and consequences of the practice.
• When entering into an agreement with a service provider that will handle or process personal information, organizations should carefully scrutinize the agreement for provisions permitting the service provider's secondary use of such information.
• Where a service provider is permitted to use personal information for general product improvement or optimization purposes that will benefit all users of the product or service, such secondary uses may not be "part of the contracted service" and therefore are not subject to the service provider consent exception.
• Where such secondary uses are provided for, ensure that they are expressly limited solely to use of aggregated and anonymized data. Otherwise, the transfer of personal information will likely be considered a "disclosure" to a third party, for which meaningful consent must be obtained.
• Concerns about "consent fatigue" do not outweigh the use of "just-in-time" notices where feasible and appropriate.
• While the findings did not lead to any monetary penalties or fines, if the anticipated changes to Canada's privacy law are adopted, organizations may be subject to significant monetary penalties and fines for comparable practices.

Background

While deleting his Facebook account, a Home Depot customer learned that Meta had a record of most of his in-store purchases made at Home Depot. After failing to resolve the matter with Home Depot directly, he made a complaint to the OPC.

Inquiry and Findings

Relationship Between Home Depot and Meta Was Not a Pure "Service Provider" Relationship

During the OPC's inquiry, Home Depot confirmed that it had been sending certain customers' in-store purchase data to Meta through a business tool known as "Offline Conversions."

This tool was designed to allow Home Depot to assess the effectiveness of its Facebook ads. Specifically, when an in-store customer opted to receive an e-receipt, they were directed to provide their email address. Home Depot then sent the customer's hashed email addressand purchase details to Meta, which matched the email address to an existing Facebook account and then compared the in-store purchases to the Facebook ads delivered to that Facebook account. Meta then provided Home Depot with the results of its analysis in the form of an aggregated report.

Home Depot submitted that Meta was acting as its service provider by "doing externally what Home Depot could have done internally." Home Depot argued that this practice was therefore a processing activity for which no additional consent was required.

The OPC disagreed. It noted that the Facebook Business Tools Terms (Terms) - the standard form agreement between Home Depot and Meta that governed use of the Offline Conversions tool - permitted Meta to use the information obtained for multiple secondary purposes. Specifically, the Terms stated that Meta may use the personal information to "improve the effectiveness of ad delivery models, and determine the relevance of ads to people," and "personalize the features and content (including ads and recommendations) that we show people on and off our Facebook Company Products."

The OPC further rejected Home Depot's argument that these potential uses were directly to Home Depot's benefit by, for example, improving the effectiveness of Home Depot's own ads on Facebook. The OPC found that the purposes stated in the Terms went beyond Home Depot's own business purposes and allowed Meta to use Home Depot customer data to improve Meta's services for third parties, including by creating "lookalike audiences" for other businesses to target with ads. Meta confirmed to the OPC that it regarded such purposes as its own business purposes.

The OPC determined based on the above that Home Depot was required to obtain its customers' consent for the disclosure to Meta.

Implied Consent Insufficient for the Disclosure

Home Depot argued that it had obtained implied consent both through its own Privacy and Security Statement and through Meta's Privacy Policy, related materials and privacy settings. Home Depot made no reference to these policies, or its use or disclosure of customers' information, at the point of purchase when the customer provided their email address for the e-receipt. Home Depot explained that it had not provided "just-in-time" notification (i.e., at the time customers provided their email addresses for the e-receipts) as it was concerned about "consent fatigue," which could arise "if every single processing activity is disclosed at every juncture."

Home Depot further argued that implied consent was an appropriate form of consent in those circumstances because (i) the information provided to Meta was not sensitive and (ii) customers would "reasonably expect such non-sensitive information to be provided to the social media platform Home Depot is using to deliver online ads, for ad efficiency analysis conducted on an aggregated basis."

The OPC disagreed. First, the OPC found that Home Depot had not in fact obtained meaningful implied consent because (i) "most customers would be completely unaware of the practice" and "would not reasonably expect it," and (ii) customers' provision of their email addresses to obtain e-receipts cannot be implied to constitute consent to the use of the information for measuring the impact of Home Depot's online advertising campaigns, let alone for Meta's own business purposes.

Moreover, the OPC concluded that express, opt-in consent was required in the circumstances. While acknowledging that the information at issue was not in fact sensitive, the OPC flagged that such information could become sensitive when combined with other information Meta holds about the individual. More significantly, the OPC found that Home Depot customers would not reasonably expect that their email addresses and offline purchase details would be shared with Meta for Home Depot's secondary purposes or Meta's own purposes.

Home Depot Privacy Policy Not Sufficiently Clear to Provide Meaningful Consent

In any event, the OPC found that Home Depot's Privacy and Security Statement did not provide a foundation for meaningful consent given that (i) when requesting an e-receipt, customers were neither notified of the disclosure of their personal information to Meta nor directed to Home Depot or Meta's privacy statements, and (ii) the Privacy and Security Statement was insufficiently precise, failing to sufficiently explain the various purposes for which customer information may be disclosed to Meta.

Home Depot agreed to cease using the Offline Conversions tool and, as a result, the OPC found that the matter was resolved.

Discussion and Analysis

Consider the reasonable expectations of individuals when determining form of consent and drafting privacy policies.

Organizations that intend to use personal information for purposes that may fall beyond the reasonable expectations of the individuals from whom the information is collected should consider whether express, opt-in consent (e.g., through "just-in-time" notification) is required in the circumstances. The risk of "consent fatigue" will not outweigh the use of such "just-in-time" notices where feasible and appropriate.

To the extent that implied consent is relied upon, organizations should ensure their privacy policies are clear, specific, comprehensive and comprehensible, particularly when describing practices that may not be anticipated by individuals.

Scrutinize the way personal information is used by service providers for their own purposes.

It is not unusual for service providers that process data on behalf of an organization to reserve the right in their contracts to use that data to conduct internal analytics, generally for improvement or optimization of their own products or services.

Such rights are often, but not always, qualified to limit the use to aggregated, statistical and/or anonymized data. That was not clearly the case in Meta's Terms, which only stated that Meta would use the information collected for "delivery optimization only after aggregating such Event Data with other data collected from other advertisers or otherwise collected on Facebook Products."

Organizations engaging service providers to store, process or otherwise handle personal information on their behalf should carefully scrutinize the contractual terms of their agreements for such secondary-use rights. Where possible, organizations should ensure service providers expressly agree to take steps to eliminate any personal information that may form part of the data used (e.g., through anonymization) prior to further processing. Organizations should also ask their service providers for more details regarding such secondary uses and the steps the service providers will take to remove personal information. Where such secondary uses cannot be avoided, for example when they form part of standard (i.e., non-negotiable) terms and conditions, and where they are not limited to anonymized data, organizations should consider what may be needed to secure the relevant individual consents, including the appropriate form of consent.

Ensure that the service provider's use of personal information is for the organization's specific benefit.

Organizations reviewing secondary-use provisions will sometimes settle on language suggesting that the service provider's use has direct or indirect benefits to the organization itself (e.g., improving the product or service contracted for) and so forms "part of the service," regardless of the potential positive externalities for other users of the same service. The OPC's findings signal that this argument is unlikely to carry much weight going forward.

Be aware that a transfer of personal information to a service provider may be deemed a disclosure.

Where there is ambiguity or uncertainty about the uses of personal information by a service provider, or one or more such uses will benefit the service provider's clients generally, there is a risk that the transfer of personal information to the service provider will be deemed a third-party disclosure not subject to the consent exception for transfers to service providers.

In such cases, organizations should consider whether they should obtain meaningful consent for such disclosure and, if so, the appropriate form of such consent.

Secondary uses may render a service provider a data "controller."

Organizations should also be aware that, where secondary uses are provided for, the service provider becomes the primary accountable organization under PIPEDA (i.e., the "controller") with respect to such secondary uses. Thus, when an access request is made of such a service provider, any contractual restrictions the service provider may have about access requests that it receives in its role as a service provider will not apply. The service provider will be obligated to disclose the relevant personal information in response to such a request and, depending on the nature of the information at issue, how the personal information was obtained.

Conclusion

The findings could have implications for a broad range of outsourcing or service-provider arrangements.

Under changes likely to come soon to Canada's federal privacy law, organizations found to have violated the law may be subject to significant monetary penalties and fines, in addition to the existing reputational consequences. Businesses should take the time to review their reliance on implied consent and examine their service-provider agreements - particularly those based on service providers' standard form terms and conditions - for secondary uses such as those discussed here.