A recent decision from the Office of the Privacy Commissioner of Canada (“OPC”) highlights the importance of obtaining meaningful consent when you are collecting and using customer information, particularly when you are sharing that information with third parties.
On January 26, the OPC released its findings following a complaint that a major retailer was sharing customer emails and purchase information without customer consent. The OPC found the retailer failed to obtain valid meaningful consent for its disclosure of customer information.
Customer emails were shared with Facebook
A customer filed a complaint with the OPC after discovering that Meta had his purchase history from the retailer when he was deleting his Facebook account. The retailer confirmed that it had been providing customer emails and purchase information to Facebook (now Meta Platforms Inc.; “Meta”) when customers chose to receive electronic receipts since at least 2018.
Upon receiving this information, Meta matched the encoded emails to users accounts to assess the effectiveness of the retailer’s ads. Meta was also permitted to use the collected information for its own purposes – such as targeted advertising and user profiling unrelated to the retailer.
In response to the recommendations of the OPC, the retailer discontinued this practice as of October, 2022.
Retailer failed to obtain valid consent
The OPC found that the retailer did not meet the requirements under applicable privacy law, including the Personal Information Protection and Electronic Documents Act, as it failed to obtain meaningful consent from customers.
When a customer chooses to receive an electronic receipt instead of a printed one, they are not consenting to having their personal information shared with third parties. In a statement accompanying the OPC’s findings, the Privacy Commissioner of Canada outlined that Canadians would likely not expect their information to be shared with a third party such as Facebook as a result of opting for an email receipt. The Privacy Commissioner highlighted that organizations must give customers clear information so they can make informed decisions on the use of their personal information.
Consequently, even though the information shared with Meta was not sensitive, the OPC concluded that the retailer should have obtained express opt-in consent for this practice.
The OPC’s findings serve as a reminder that when you are collecting personal information from customers, you must explain the purpose for collecting the information – and limit your use of the information to that purpose. You must also obtain meaningful consent of your intention to share the information with third parties.
If your organization provides customer information to third parties, it is important to review the information you provide to customers when obtaining their consent as well as your agreements with third parties to ensure compliance with applicable privacy laws, such as placing limits on a third party’s use of your customers’ information.
The lawyers in the MLT Aikins Privacy, Data Protection & Cybersecurity group have extensive experience advising organizations on their obligations under applicable privacy law, including developing privacy policies and advising on the collection, use and sharing of personal information. Contact us to learn more.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.