Home Depot didn’t get customer consent before sharing data with Facebook’s owner, privacy watchdog finds
Home improvement retailer Home Depot didn’t get customer consent before sharing personal data with Meta, which operates social media giants Facebook and Instagram, according to a new report by Canada’s privacy watchdog.
Privacy Commissioner Philippe Dufresne released the findings of his latest investigation Thursday morning.
It found Home Depot began sharing details from electronic receipts with Meta in┬а2018 тАФ including encoded email addresses and in-store purchase information тАФ without the knowledge or consent of customers. The company said it stopped sharing customer information with Meta in October 2022.
Home Depot’s Canada division was using a service provided by the social media giant called “offline conversions.”
According to the privacy report, information sent to Meta was used to determine whether┬аa customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s ads to gauge their effectiveness.
The program’s contract┬аterms also allowed Meta to use the customer information for its own business purposes, including user profiling and targeted advertising┬аunrelated to Home Depot.
‘Highly sensitive’
“While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality,” said the commissioner’s report.
A spokesperson for Home Depot said only┬аnon-sensitive information тАФ such as the department in which a purchase was made тАФ┬аwas used as part of the Meta program.
During a news conference Thursday,┬аDufresne said that even┬аknowing when and how often a person buys┬аan item can expose personal details.
┬а“The more information you have about an individual, the more you can create an image of that person. And┬аso that’s why it is something that absolutely has to be taken seriously by organizations,” he said.
Former Ontario privacy commissioner Ann Cavoukian said any┬аtype┬аof personal data can be exploited┬аin ways that aren’t always obvious.
“Personally identifiable data in the wrong hands can be used for a variety of purposes that would never be contemplated, that can come back to bite you,” she said.
“It’s very sensitive information. It doesn’t belong to anyone other than the data subject who consents to a particular use of the information.”
Dufresne┬аsaid his office isn’t sure how many Canadians had their┬аinformation shared with Meta while the program was in place. He said he┬аsuspects it was “many.”
“It is a widespread reality of being asked for a paper or online receipt. So we were dealing with a situation where we had one complainant who was affected by this, but we know that┬аthis was occurring on┬аmultiple occasions,” he said.
“This is something we are┬аflagging as┬аsomething that should be looked at by organizations. And if they are┬аapplying similar policies, they need to know that this is not consistent with privacy law.”
Home Depot says it worried about ‘consent fatigue’
Home Depot told Dufresne’s office that it relied on implied consent and that its privacy statement тАФ┬аaccessible through its website and in print upon request at retail locations тАФ┬аexplained that the company uses de-identified information for internal business purposes.
“The explanations provided in its policies were ultimately insufficient to support meaningful consent,” Dufresne said in a media release.
Cavoukian said she was stunned by Home Depot’s response.
“That’s the part that is just mind-boggling to me, that companies think they can do whatever they want with their customers’ information and their customers won’t care about it,” she said.
Home Depot┬аsaid it did not notify customers of its sharing agreement with Meta when they were at checkout before prompting an e-receipt, due to the risk of “consent fatigue.”
Dufresne didn’t buy that argument, either.
“Consent fatigue is not a valid reason for failing to obtain meaningful consent,” he wrote.
“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”
Wendy Wong is a┬аprofessor┬аof┬аpolitical science┬аat the┬аUniversity┬аof┬аBritish Columbia’s┬аOkanagan┬аcampus; she specializes in human rights issues related to big data. She said the idea of meaningful consent needs to be reconsidered.
“I don’t think it’s consent fatigue. I think the types of things we’re being asked to consent to as the public and as consumers have ballooned to the point where it’s not meaningful anymore,” she said.
“I think that we’re placing the onus on the public to understand complex and vague legal documents and to assume everyone understands what’s going on when it’s about data that’s being collected about us.”
Home Depot has agreed to implement the commissioner’s recommendations тАФ including the recommendation┬аthat it stop disclosing the personal information of customers who request electronic receipts to Meta until it is able to put better consent measures in place.
“We value and respect the privacy of our customers and are committed to the responsible collection and use of information. We’ll continue to work closely with the Office of the Privacy Commissioner of Canada,” said an unnamed spokesperson in an email to CBC.
Complaint raised by customer
The federal watchdog was alerted to the issue by a man who complained that┬аwhile he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases at Home Depot.
According to the report, he went to the Office of the Privacy Commissioner when┬аHome Depot┬аincorrectly told him┬аthat they had not shared his information with Meta.
Wong said Canadians should be aware of the data and patterns they are sharing and should┬аdemand that their governments take action.
“Look, data collection has implications for individuals but also for us as a collective, as a public,” she said.
“We really need to┬аpush our policymakers to not just focus on individuals being violated here in this situation, but actually how this affects us as a society, right?┬аWhat does it mean when so much data about so many of our individual activities are being collected and triangulated and analyzed in these vast datasets.”
Home Depot’s Canada wing operates about 180 stores across the country.┬а
In 2014, Home Depot revealed a massive data breach that affected 56 million debit and credit cards. In that case, the Atlanta-based company said hackers initially accessed its network with a third-party vendor’s username and password.
Home Depot said the hackers then deployed malware on Home Depot’s self-checkout systems to gain access to the card information of customers who shopped at its U.S. and Canadian stores for months.