Home Depot Canada shares data with Facebook without customer consent
Canada Home Depot was found to be sharing details from e-receipts related to in-store purchases with Facebook owner Meta Platforms Inc without the knowledge or consent of its customers, according to Canada federal privacy watchdog.
An investigation by the Office of the Privacy Commissioner of Canada (OPC) found that by participating in Meta’s offline conversions program Home Depot shared the e-receipts that included encoded email addresses and purchase information.
In a report released Thursday, privacy commissioner Philippe Dufresne said the data included encoded email addresses and in-store purchase information.
The commissioner’s investigation discovered that the information sent to Meta was used to see whether a customer had a Facebook account.
If they did have an account, Meta compared what the customer bought at Home Depot to advertisements sent over the platform to measure and report on the effectiveness of the ads.
Meta was also able to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot, the commissioner found.
It is unlikely that Home Depot customers would have expected their personal information to be shared with a social media platform simply because they opted for an electronic receipt, Dufresne said in a statement.
He reminded companies that they must obtain valid consent at the point of sale to engage in this type of activity.
“As businesses increasingly look to deliver services electronically, they must carefully consider any consequential uses of personal information, which may require additional consent.”
Home Depot told the privacy commissioner it relied on implied consent and that its privacy statement, available through its website and in print upon request at retail outlets, adequately explained the company’s use of information. The retailer also cited Facebook’s privacy statement.
The commissioner rejected Home Depot’s argument, saying the privacy statements were not readily available to customers at the checkout counter, adding shoppers would have no reason to seek them out.
“The explanations provided in its policies were ultimately insufficient to support meaningful consent,” Dufresne said.
He recommended that Home Depot stop disclosing the personal information of customers who request an electronic receipt to Meta until it is able to put in place measures to ensure valid consent.
Home Depot fully co-operated with the investigation, agreed to implement the recommendations and stopped sharing customer information with Meta in October, the commissioner said.
The federal watchdog was alerted to the issue by a man who complained that while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases at Home Depot.
According to the report, he went to the Office of the Privacy Commissioner when Home Depot incorrectly told him that they had not shared his information with Meta.
Wong said Canadians should be aware of the data and patterns they are sharing and should demand that their governments take action.
“Look, data collection has implications for individuals but also for us as a collective, as a public,” she said.
“We really need to push our policymakers to not just focus on individuals being violated here in this situation, but actually how this affects us as a society, right? What does it mean when so much data about so many of our individual activities are being collected and triangulated and analyzed in these vast datasets.”
Home Depot Canada operates about 180 stores across the country.
In 2014, Home Depot revealed a massive data breach that affected 56 million debit and credit cards. In that case, the Atlanta-based company said hackers initially accessed its network with a third-party vendor’s username and password.
Home Depot said the hackers then deployed malware on Home Depot’s self-checkout systems to gain access to the card information of customers who shopped at its U.S. and Canadian stores for months.
Part of the article was reported by CP.