Canadians’ private data needs to be safeguarded, says Algoma – Manitoulin – Kapuskasing Member of Parliament
Algoma-Manitoulin-Kapuskasing MP, Carol Hughes writes a regular column about initiatives and issues impacting our community.
Last week, Privacy Commissioner Philippe Dufresne released a report detailing home improvement giant Home Depot selling private customer data to Meta, owners of Facebook and Instagram, without the consent or knowledge of customers.
The information that was shared included customer details from e-receipts, namely encoded email addresses and in-store purchase information. While it can be legal to share that type of information with other companies, it requires that users actively consent to information sharing, under the Personal Information Protection and Electronic Documents Act (PIPEDA).
This was not done. Home Depot told the Privacy Commissioner that it believed it received implied consent from users, as its privacy statement on its website states the company “may use de-identified information for internal business purposes, such as marketing, customer service, and business analytics.” Dufresne advised that this was insufficient as a form of consent from customers, and when pressed, Home Depot doubled down, stating they did not notify customers at check-out due to “consent fatigue.”
This follows other recent stories of companies either selling personal data or not doing enough to protect it once it’s in their hands or tracking individuals without their consent. Some may recall that Tim Hortons was also rebuked by the Privacy Commissioner this summer due to their app tracking and recording customers’ movements, even when the app wasn’t running.
In either case, punishment for these companies exists somewhere between negligible and nonexistent. Home Depot is now required to cease providing Meta with customer data until it starts implementing systems to receive direct consent. Tim Hortons had to delete customer location data gathered by the app and establish and maintain a privacy management program.
No fines, no other punishment, as long as those companies agree to strengthen their privacy policies.
User data is big business for tech companies. Many tech companies, including Meta, Twitter, YouTube, and others, provide their services for no monetary compensation but instead collect user data to then monetize, in addition to traditional revenue streams like advertising. People have an expectation that if they sign up for a service that uses their data for one purpose, that the data they provide isn’t being sold or provided to other companies.
Digital privacy and data protection aren’t new concepts in the grand scheme of things.
Facebook and YouTube have existed for almost 20 years, and even email became a normal part of our everyday lives for a decade before that. But neither the current Liberal government nor the former Conservative government has done anything significant to protect user data from the type of practices that Home Depot and Tim Hortons have done with customer data.
While PIPIDA and Canada’s Anti-Spam Legislation (CASL) are starting points, companies clearly aren’t too worried about whether they breach these acts because there’s little penalty for doing so.
Canadians are justifiably concerned for their privacy, security and consumer rights. It’s time we create a Canadian Digital Bill of Rights that protects people’s data.
This should include boosting the powers of the Privacy Commissioner to enforce orders and levy fines and penalties to ensure compliance by large companies for potential data breaches.
It’s not enough to take corporations at their word when they say “this won’t happen again,” we need to ensure that they protect any personal data they receive with the utmost care, or face actual, serious consequences. Only when the threat of playing fast and loose with people’s personal data results in hurting a corporation’s bottom line will they start taking data protection seriously.
Digital safety and privacy need to be placed above the profits of companies. Canadians deserve to be comfortable in the knowledge that their data is only being used in ways in which they have already agreed to.