Home Depot didn’t get customer consent before sharing data with Facebook’s owner, privacy official finds
Home improvement retailer Home Depot failed to obtain customer consent before sharing personal information with Meta, which operates social media sites Facebook and Instagram, according to a new report from the Data Protection Agency of Canada.
Data Protection Commissioner Philippe Dufresne published the results of his latest investigation on Thursday morning.
It turns out that starting in 2018, Home Depot shared details from electronic receipts — including encrypted email addresses and information about in-store purchases — with Meta without customers’ knowledge or consent. The company said it stopped sharing customer information with Meta in October 2022.
Home Depot’s Canadian division used a service from the social media giant called Offline Conversions.
According to the privacy report, information sent to Meta was used to verify whether a customer had a Facebook account. When they did, Comparing the person’s store purchases to Home Depot ads to measure their effectiveness.
The program’s terms of service also allowed it to use customer information for its own business purposes, including user profiling and targeted advertising unrelated to Home Depot.
‘very sensitive’
“While details of a person’s in-store purchases may not have been sensitive in the Home Depot context, they may be highly sensitive in other retail contexts where, for example, they reveal information about the a person’s health or sexuality,” the Commissioner’s report. he said.
Home Depot told Dufresne’s office that it relies on tacit consent and that its privacy statement, which is accessible through its website and printed upon request at retail stores, explains that the company uses de-identified information for internal business purposes.
Federal Commissioner for Data Protection Philippe Dufresne released a report on Thursday that found that since 2018, Home Depot has been sharing details from electronic receipts with meta-platforms without the knowledge or consent of -customers. (Sean Kilpatrick/The Canadian Press)
“The statements in his guidelines were ultimately insufficient to support a meaningful consensus,” Dufresne said in a press release.
The company said it did not tell customers about its joint arrangement with Meta when they were at checkout before requesting an electronic receipt because of the risk of “consent fatigue.”
Dufresne did not believe this argument either.
“Consent fatigue is not a valid reason not to achieve meaningful consensus,” he wrote.
“When customers were asked to provide their email address, they were never informed that their information would be shared by Home Depot with Meta or how it might be used by any company. This information will be useful in the customer’s decision on whether to receive an electronic receipt or not.”
Home Depot agreed to implement the Commissioner’s recommendations.
Complaint raised by the customer
The federal watchdog was alerted to the matter by a man who complained that when he deleted his Facebook account, he learned that Meta had a record of most of his purchases from the Home Depot store.
According to the report he went to the privacy commissioner’s office after receiving an unsatisfactory response from Home Depot when they incorrectly indicated that they did not disclose his information to the Meta
Home Depot’s Canadian wing operates approximately 180 stores across the country.
Dufresne will have a media availability at 11am ET.
past injury
In 2014, Home Depot disclosed a major data breach that affected 56 million debit and credit cards. In this case, the Atlanta-based company said the hackers initially accessed its network using a third-party username and password.
Home Depot said the hackers then planted malware on Home Depot’s self-checkout systems to gain access to the card information of customers who had been shopping at US stores for months and Canada.
