Digital marketing and analytics: Lessons for Canadian retailers using offline conversion tools following Privacy Commissioner’s ruling

A recent decision by the Office of the Privacy Commissioner of Canada (OPC) illustrates the complex and often ambiguous nature of consent under Canadian federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). It also highlights key implications for Canadian retailers processing data as part of their digital marketing and analytics efforts, using offline conversion tools.


In PIPEDA Findings # 2023-001, these issues are discussed in the context of a complaint related to the sharing of customers’ personal information by a Canadian retailer, Home Depot of Canada Inc., with Facebook’s parent company, Meta Platforms, Inc. (f/k/a Facebook, Inc.) (Meta), using its business tool known as “Offline Conversions.” This tool helps businesses measure the impact of their online advertising campaigns on in-store sales by sharing a hashed version of their customers’ contact information and in-store transaction data with a third-party platform, which matches the information to users of the platform and compares the transaction data to the ads shown to those users. This enables businesses to make informed decisions about ad spending and improve their digital marketing strategy.

In concluding that an opt-in form of consent was required, the OPC relied on its determination that the data-sharing situation with the social-networking platform fell outside the reasonable expectations of customers who provided their email addresses to receive e-receipts. This conclusion was reached even though the practice did not involve any sensitive personal information or pose an immediate risk of significant harm to customers.

In addition, the OPC held that customers should have been actively informed of key elements related to the data-sharing practice at the time of collection, including the fact that the social-networking platform was contractually permitted to use the information for its own business purposes. This underscores the risks associated with relying solely on information contained in a privacy policy to obtain meaningful consent for secondary marketing and analytics purposes.

This decision highlights some of the grey zones under Canadian privacy laws and the challenges that businesses face in interpreting and applying the notion of consent and the “reasonable expectations” standard. In fact, media reports following the release of this decision highlighted the fact that many other major Canadian retailers may have also been using Meta’s Offline Conversions tool without obtaining opt-in consent from customers, illustrating that other industry players were interpreting these legal grey zones in a similar fashion.

The above underscores the need for a more collaborative approach between the industry and Canadian privacy regulators to better understand the marketing and analytics practices and needs of businesses, and to proactively develop clear, practical guidance on how to implement these practices in compliance with Canadian privacy laws.

While the decision does not preclude organizations from relying on implied consent for all forms of marketing and analytics, it does bring to light the importance of providing individuals with upfront notice of such practices, placing clear limits on partners’ use of the information, and making it easy and convenient for individuals to withdraw their consent for secondary purposes. However, the lack of clear regulatory guidance on these issues means in turn that organizations that rely on an opt-out form of consent to process information for marketing and analytics will always face a risk of non-compliance, particularly for novel practices that may arguably fall outside of individuals’ reasonable expectations.

This content has been updated on May 2, 2024 at 12 h 41 min.