With the rise of self-checkout counters and online shopping in recent years, e-receipts have become a ubiquitous and convenient facet of Canada's retail landscape.
They offer an environmentally friendly alternative to printed receipts and allow consumers to easily keep track of their purchases without fear of misplacing a small slip of paper.
However, as the Office of the Privacy Commissioner of Canada (OPC) the practice raises questions about consumer privacy. A recent investigation by the OPC highlighted how hardware chain Home Depot shared consumer information with Meta, the company that operates Facebook, for years without informed consent.
And e-receipts are only one of the tools retailers and tech companies use to mine consumers for their data.
Consumers might not have the ability to stop corporations from breaking laws designed to protect them, but there are steps they can take to safeguard their data. Here are ways you can protect your personal information.
DON'T SHARE YOUR DATA
Be aware that almost any time you share any information about yourself with a retailer or social media platform, you may unknowingly be agreeing to a host of conditions that could include cross-platform data sharing.
The easiest way to avoid allowing tech and retail companies to sell your information to third parties is not to give it to them in the first place, Terry Cutler, cybersecurity expert, author and CEO of Cyology Labs, told CTVNews.ca in a telephone interview on Thursday.
"Just don't put it in. It's as simple as that," Cutler said. "Some people want to have a copy of their receipt (emailed), but the moment they opt into that service, their email could be shared with Facebook to get retargeted afterwards."
In addition to opting out of emailed receipts, wary consumers might choose not to sign up for newsletters that promise to share information about deals and discounts, shop online, use services like Facebook Marketplace or disclose anything about their shopping habits on social media.
But the reality is that consumers become accustomed to the convenience of online shopping, e-receipts and saved login and credit card information. These conveniences can come at a cost.
"Consumers want convenience," Cutler said. "But they don't think about security."
If you know you're going to use services that require your personal data in exchange for a more convenient experience, Cutler said, you should fully understand what you're agreeing to and how to protect yourself against breaches that could compromise your privacy and security.
UNDERSTAND THE TERMS
In a on its website, the OPC recommends consumers make a habit of reading the privacy policies of the websites and apps they use. Cutler agrees.
"Unless (consumers) start reading the terms and conditions of what companies do with their information, they're not going to know," he said.
Websites that collect personal information will usually provide an accessible link to their privacy terms and conditions, and may even require users to agree to the terms before submitting their information. If you see something in the terms and conditions you don't agree with, or if the company isn't able to answer questions you have about how your information will be used and protected, you should think twice before using their service.
SECURE YOUR DEVICES
To protect your privacy online, it's always a good idea to ensure your computer, smartphone and other mobile devices are password protected. Also ensure devices are armed with the latest anti-virus, anti-spam and firewall software to help guard gainst cyber attacks aimed at stealing your information.
PROTECT YOUR PASSWORDS
Anyone, even your favourite online retail store or web service, can become the victim of a data breach. This means anything you share in good faith, such as your contact information, address, credit card information or saved passwords, can be stolen and exploited if a company's database is breached by hackers.
"If you're using login services and that company gets breached, then there's a chance your passwords will leak onto the dark web," Cutler said. "And then hackers can log into your account and take it over. "
One way you can help prevent identity theft is to use different passwords for different websites, accounts and devices, according to the OPC. Cutler says users should also make sure they're using two-factor authentication wherever possible, especially when saving passwords online.
"This is where you have to type in your username and password and then use a six digit code on your phone to log in," he said. "This way, if a cyber criminal is able to get your information and tries to log into your account, it's not going to work."
Cutler's company has also developed a called Fraudster, that uses push notifications to warn users of new internet scams and cyber attacks.
KNOW YOUR PRIVACY SETTINGS
Mobile devices, browsers, sites, apps and online games often have adjustable privacy settings that give users the option to make them more or less secure.
On mobile devices, these settings can include the ability to control everything from location tracking to password-protected screen locks. Browser settings often allow users to control things like cookies and pop-ups, while apps, websites and social media platforms generally allow users to control what personal information they share publicly.
The OPC warns users should never rely on default settings, and should take time to customize their settings instead.
HOME DEPOT: A CASE STUDY
The line between disclosure and deception can sometimes be flimsy, as the OPC discovered in its investigation of Home Depot.
According to investigators, Home Depot began collecting customer email addresses at store checkouts for the purpose of providing e-receipts in 2018. What they was that their email addresses, along with high-level details about their in-store purchases, were being shared with Meta for use in developing targeted advertising.
Home Depot argued to the OPC that it had relied on implied consent to distribute customer information. The company said its privacy statement, available on its website and in print at retail locations upon request, adequately explained how it would use the information it gathered.
But the OPC rejected the argument, saying Home Depot failed to make its privacy statement available to customers at the check-out counter, and that consumers would not have known to seek it out. The OPC also determined that Home Depot’s privacy statement did not clearly explain the practice in question.
"When Home Depot customers were prompted and agreed to receive an e-receipt, they were never informed that their information would be shared with Meta, or how it would be used by either company," said Privacy Commissioner Philippe Dufresne in a media release issued on Thursday.
"This is where Home Depot fell short. Consumers need clear information at key transaction points so that they can make informed decisions about how their personal information should be used and provide meaningful consent."
The OPC says its investigation has prompted Home Depot to stop sharing customer email addresses with Meta as of October, and that the company has promised to secure meaningful consent from customers should it ever reintroduce the practice.