Home Depot shared customer data with Facebook’s parent company Meta without getting “valid consent,” a new report from Canada’s privacy commissioner has found.
The report, which the Office of the Privacy Commissioner (OPC) published online Thursday morning, dug into a complaint from a man who alleged Home Depot shared a record of “most of his in-store purchases” with Meta — without his knowledge and consent.
The complaint, the privacy watchdog decided, was “well-founded” but has also since been “resolved.”
“Home Depot confirmed to our Office that it was in fact sending in-store customers’ data to Meta through a business tool known as ‘Offline Conversions,’ which allows businesses to measure the effectiveness of Meta ads,” the report explained.
“Specifically, Home Depot forwards the customer’s email address and off-line purchase details to Meta when the customer provides their email address to Home Depot, at check-out, to obtain an e-receipt.”
Meta then used this data to figure out if ads it had served up to the customer worked, and delivered an analysis back to Home Depot. The Facebook parent company was also free to use the customer information for its own business purposes, including “targeted advertising” that is “unrelated to Home Depot,” according to the report.
However, the privacy commissioner’s office found neither company’s privacy statements were “sufficient to obtain implied consent for its disclosure to Meta of the personal information of in-store customers requesting an e-receipt.”
As a result, the watchdog found that Home Depot “should have obtained express opt-in consent for the practice,” even though the information in question was “not generally sensitive.”
“Customers would not reasonably expect Home Depot to disclose that information to Meta,” it read.
Privacy Commissioner Philippe Dufresne, speaking in a press conference about the findings on Wednesday, said organizations “should not trivialize the use of personal information.”
“Personal information is a core part of who we are as individuals and respecting privacy rights is essential to our dignity and fundamental freedoms,” Dufresne said.
Get daily National news
In response to the privacy commissioner’s probe, Home Depot agreed to stop using Meta’s “Offline Conversions Tool” in October. The renovation company also agreed to implement the OPC’s recommendations, which focused on fixing the opaque consent messaging and halting any data-sharing practices until that’s done.
“Even though our use of a Meta analytics tool involved the use of only non-sensitive information i.e., the department in which a purchase was made, as a precaution, we stopped using the tool once the Office of the Privacy Commissioner of Canada expressed concerns about it in October 2022,” a spokesperson for Home Depot Canada told Global News in a statement.
“We value and respect the privacy of our customers and are committed to the responsible collection and use of information. We’ll continue to work closely with the Office of the Privacy Commissioner of Canada.”
This probe, Dufresne said, should serve as a cautionary tale for all companies that use e-receipts as part of their business.
“While our investigation dealt with an individual case, our overall conclusions would apply to any organization that ahs a similar practice with respect to e-receipts,” Dufresne said.
“This report is a reminder to all companies as they increasingly look to deliver services online and offer e-receipts, that they must be clear and transparent about how and why they are asking for consumers’ personal information and that they must obtain meaningful consent from their consumers before sharing this information with third parties.”
The investigation focused only on the Canadian arm of the North American big box renovation chain, which operates over 180 stores in Canada and another 130 in Mexico. Its 2,000 American stores make Home Depot the largest home improvement retail chain in the U.S.
Shoppers at Canadian stores are typically asked to provide their email addresses to receive a paperless receipt at checkout or they can opt for a paper copy.
E-receipts are then shared in emails that include a link to Home Depot Canada’s privacy statement, which states the company will share customer information with “our Canadian, U.S. and foreign affiliates and service providers who provide services on our behalf,” like delivery, payment and call service companies.
It also says information can be shared with “our business partners” in the event of a joint promotion. But the statement does not mention social media companies or advertisers.
The receipts themselves are similar to paper ones and contain the location of the purchase, the payment option used and the items that were purchased.
Home Depot has been victim to data breaches in the past — most notably in 2014, when hackers accessed information from 56 million debit and credit cards from the chain’s payments systems across all stores in the U.S. and Canada.
The chain also revealed that the months-long hack accessed 53 million email addresses.
The breach led to a national class action settlement that included a $250,000 settlement fund for Canadian customers who proved they had incurred losses.
The OPC and privacy watchdogs in Ontario, Alberta and Quebec were notified by the company at the time about the breach, and found Home Depot did not violate Canadian privacy laws.
Meta Platforms has been the subject of multiple controversies regarding the sharing of user data, particularly allowing third parties like Cambridge Analytica to access it.
Last August, the social media giant settled a four-year-old lawsuit in San Francisco federal court over its third-party data-sharing practices for an undisclosed sum.
— with files from Global News’ Sean Boynton
Comments