The Home Depot’s Canadian division did not obtain customer consent before sharing customer electronic receipt details – including encoded email addresses and in-store purchase information – with Facebook’s parent meta-platforms, said the Privacy Commissioner of Canada.
In a report released Thursday, Commissioner Philippe Dufresne said Home Depot of Canada confirmed that the data was sent without the knowledge or consent of customers in violation of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
This was done through Meta’s offline conversions program. The Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation found that during this time, email addresses codes, as well as the high-level addresses of each customer’s in-store purchase details were also sent to Meta.
“When customers were asked to provide their email address [at check-out], they were never told that their information would be shared with Meta by Home Depot, or how it might be used by either company,” Dufresne said in a press release accompanying the decision. “This information would have been important to a customer’s decision whether or not to get an e-receipt.”
“As businesses increasingly seek to deliver services electronically, they should carefully consider any subsequent use of personal information, which may require additional consent,” Dufresne said.
“In this case, Home Depot customers are unlikely to have expected their personal information to be shared with a third-party social media platform simply because they opted for an electronic receipt.
“As Canada scores Data Privacy Weeknow is an ideal time to remind businesses that they must obtain meaningful consent at the point of sale to engage in this type of business activity.
The information sent to Meta was used to verify whether a customer had a Facebook account, according to the ruling. If so, Meta would compare the person’s in-store purchases to the Home Depot advertisements served on the platform to measure and report on the effectiveness of those advertisements. Meta’s offline conversions contract terms also allowed it to use customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.
Every email address Home Depot has shared with Meta has been encrypted so that it cannot be read by individuals on Facebook. Meta used an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses that are not already associated with a Facebook account cannot be linked to individuals.
Although details of a person’s in-store purchases may not have been sensitive in the Home Depot context, they could be very sensitive in other retail contexts, where they reveal, for example, information about a person’s health or sexuality.
During the investigation, Home Depot said it relied on implied consent and that its privacy statement, accessible through its website and printed on demand at retail outlets, adequately explained that the company uses “anonymized information for internal business purposes, such as marketing, customer service and business analysis. The website’s statement also says the company “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the offline conversions program.
The commissioner rejected this argument because the privacy statements Home Depot relied on to obtain consent were not readily available to customers at checkout and consumers would have no reason to seek them out. Additionally, the commissioner found that Home Depot’s privacy statement did not clearly explain the practice.
The company said it did not inform customers of its information-sharing agreement with Meta just before issuing e-receipts due to the risk of “consent fatigue”.
“Consumers need clear information at key transaction points, enabling them to make decisions about how their personal information should be used,” Dufresne said. “Consent fatigue is not a valid reason for not obtaining meaningful consent. Many customers would be surprised, as the plaintiff was in this case, to learn that their personal information has been shared with a third party like Facebook without their knowledge and consent.
As a result of the investigation, the Office of the Privacy Commissioner (OPC) recommended that Home Depot:
- cease disclosing the personal information of customers requesting an e-receipt from Meta until Meta is able to implement measures to ensure valid consent;
- implement measures to obtain the express and voluntary consent of customers before sharing information with Meta, should it resume the practice; and
- ensure meaningful consent by providing customers requesting an e-receipt with key information regarding its information sharing with Meta at the point of sale, and enhancing its privacy statement to include a detailed explanation of its practices and how customers can withdraw their consent.
Home Depot has been fully cooperative throughout the investigation, the OPC said, and has agreed to implement the OPCrecommendations. The company stopped sharing customer information with Meta in October 2022.
“Evil alcohol lover. Twitter junkie. Future teen idol. Reader. Food aficionado. Introvert. Coffee evangelist. Typical bacon enthusiast.”