Home Depot didn’t get customer consent before sharing data with Facebook’s owner, privacy watchdog finds | CBC News

Home improvement retailer Home Depot didn’t get customer consent before sharing personal data with Meta, which operates social media giants Facebook and Instagram, according to a new report by Canada’s privacy watchdog.

Privacy Commissioner Philippe Dufresne released the findings of his latest investigation Thursday morning.

It found Home Depot began sharing details from electronic receipts with Meta in 2018 — including encoded email addresses and in-store purchase information — without the knowledge or consent of customers. The company said it stopped sharing customer information with Meta in October 2022.

Home Depot’s Canada division was using a service provided by the social media giant called “offline conversions.”

According to the privacy report, information sent to Meta was used to determine whether a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s ads to gauge their effectiveness.

The program’s contract terms also allowed Meta to use the customer information for its own business purposes, including user profiling and targeted advertising unrelated to Home Depot.

‘Highly sensitive’

“While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality,” said the commissioner’s report.

A spokesperson for Home Depot said only non-sensitive information — such as the department in which a purchase was made — was used as part of the Meta program.

During a news conference Thursday, Dufresne said that even knowing when and how often a person buys an item can expose personal details.

 “The more information you have about an individual, the more you can create an image of that person. And so that’s why it is something that absolutely has to be taken seriously by organizations,” he said.

Former Ontario privacy commissioner Ann Cavoukian said any type of personal data can be exploited in ways that aren’t always obvious.

“Personally identifiable data in the wrong hands can be used for a variety of purposes that would never be contemplated, that can come back to bite you,” she said.

“It’s very sensitive information. It doesn’t belong to anyone other than the data subject who consents to a particular use of the information.”

Dufresne said his office isn’t sure how many Canadians had their information shared with Meta while the program was in place. He said he suspects it was “many.”

“It is a widespread reality of being asked for a paper or online receipt. So we were dealing with a situation where we had one complainant who was affected by this, but we know that this was occurring on multiple occasions,” he said.

“This is something we are flagging as something that should be looked at by organizations. And if they are applying similar policies, they need to know that this is not consistent with privacy law.”

Home Depot says it worried about ‘consent fatigue’

Home Depot told Dufresne’s office that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, explained that the company uses de-identified information for internal business purposes.

“The explanations provided in its policies were ultimately insufficient to support meaningful consent,” Dufresne said in a media release. 

Cavoukian said she was stunned by Home Depot’s response.

“That’s the part that is just mind-boggling to me, that companies think they can do whatever they want with their customers’ information and their customers won’t care about it,” she said.

Home Depot said it did not notify customers of its sharing agreement with Meta when they were at checkout before prompting an e-receipt, due to the risk of “consent fatigue.”

Dufresne didn’t buy that argument, either.

“Consent fatigue is not a valid reason for failing to obtain meaningful consent,” he wrote.

“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”

Home Depot has agreed to implement the commissioner’s recommendations.

“We value and respect the privacy of our customers and are committed to the responsible collection and use of information. We’ll continue to work closely with the Office of the Privacy Commissioner of Canada,” said an unnamed spokesperson in an email to CBC.

Complaint raised by customer

The federal watchdog was alerted to the issue by a man who complained that while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases at Home Depot.

According to the report, he went to the Office of the Privacy Commissioner when Home Depot incorrectly told him that they had not shared his information with Meta

Home Depot’s Canada wing operates about 180 stores across the country. 

In 2014, Home Depot revealed a massive data breach that affected 56 million debit and credit cards. In that case, the Atlanta-based company said hackers initially accessed its network with a third-party vendor’s username and password.

Home Depot said the hackers then deployed malware on Home Depot’s self-checkout systems to gain access to the card information of customers who shopped at its U.S. and Canadian stores for months.