An interesting privacy case emerged last week involving Home Depot. The case provides some clear guidance on an area of vulnerability for most retailers around obtaining consent – point of sale.
Last week the Office of the Privacy Commissioner of Canada (OPC) released its findings against the large Canadian retailer. The case revolved around seeking and receiving appropriate consent to share customer data with another party. The ruling was a clear message to industry on its current reliance on implied consent for activity that is not in line with a consumer’s “reasonable expectations” for use of their personal data – particularly in the case of sharing with 3rd parties.
In speaking to the press, Commissioner Dufresne stated that the client in the case “treated customers’ choice to receive a receipt by e-mail, instead of a paper copy, as “implicit consent” to share their data with a third-party.” He went on to say, “This practice is not consistent with privacy law and has to stop,” The message was loud and clear in that consumers need “clear information at key transaction points, empowering them to make decisions about how their personal information should be used.” His closing words sent a message to anyone else currently relying on similar practices to immediately come into compliance with the law. While the OPC does not currently have enforcement power he also made the case for the proposed C27 to be passed so that those using bad practices can be fined appropriately.
PIPEDA has guidance on what constitutes meaningful consent and outlines that not only do organizations need to demonstrate accountability (proof of consent), present the consumer with just in time notices and clear options and control they also need to “consider the reasonable expectations of the individual in the circumstances. For example, if there is a use or disclosure a user would not reasonably expect to be occurring, such as certain sharing of information with a third party, the downloading of photos or contact lists, or the tracking of location, express consent would likely be required.”
While the digital ecosystem becomes increasingly complex for brands to navigate, the only reliable way to obtain express consent at point of sale in a digital environment is through the use of the “pop up” or Consent Management platform. This best in practice technology allows publishers and brands to communicate their privacy practices more openly while giving consumers enhanced control over their privacy preferences. This key element of the eco-system also links consumer choice to the ad tech universe.
When asking the question of whether implied consent is enough using a TCF Canada compliant CMP to provide at time of collection notice, outlining detailed purposes for collection and prompting clear option for opt in consent is a legitimate way to stay on the right side of the law – and more importantly build trust with your consumers. There are over 200 CMPs in the market continually evolving and addressing the complexity of obtaining meaningful consent in an omnichannel customer journey (like the one in this case) is surely top of mind. IAB Canada is heads down working on how to expand our current privacy framework to solve for this problem and are confident that as an industry we can build a solution.
For more information on Consent Management Platforms check out our resource page and for details on TCF Canada click here. And if you would like to know more about our policy work or have any questions reach out to policy@iabcanada.com