Home Depot didn't get customer consent before sharing data with Facebook's owner, privacy watchdog finds

Home improvement retailer Home Depot didn't get customer consent before sharing personal data with Meta, which operates social media giants Facebook and Instagram, according to a new report by Canada's privacy watchdog.

Privacy Commissioner Philippe Dufresne released the findings of his latest investigation Thursday morning.

It found Home Depot began sharing details from electronic receipts with Meta in 2018 — including encoded email addresses and in-store purchase information — without the knowledge or consent of customers. The company said it stopped sharing customer information with Meta in October 2022.

Home Depot's Canada division was using a service provided by the social media giant called "offline conversions."

According to the privacy report, information sent to Meta was used to determine whether a customer had a Facebook account. If they did, Meta compared the person's in-store purchases to Home Depot's ads to gauge their effectiveness.

The program's contract terms also allowed Meta to use the customer information for its own business purposes, including user profiling and targeted advertising unrelated to Home Depot.

'Highly sensitive'

"While the details of a person's in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual's health or sexuality," said the commissioner's report.

A spokesperson for Home Depot said only non-sensitive information — such as the department in which a purchase was made — was used as part of the Meta program.

During a news conference Thursday, Dufresne said that even knowing when and how often a person buys an item can expose personal details.

"The more information you have about an individual, the more you can create an image of that person. And so that's why it is something that absolutely has to be taken seriously by organizations," he said.

Former Ontario privacy commissioner Ann Cavoukian said any type of personal data can be exploited in ways that aren't always obvious.

"Personally identifiable data in the wrong hands can be used for a variety of purposes that would never be contemplated, that can come back to bite you," she said.

"It's very sensitive information. It doesn't belong to anyone other than the data subject who consents to a particular use of the information."

Dufresne said his office isn't sure how many Canadians had their information shared with Meta while the program was in place. He said he suspects it was "many."

"It is a widespread reality of being asked for a paper or online receipt. So we were dealing with a situation where we had one complainant who was affected by this, but we know that this was occurring on multiple occasions," he said.

"This is something we are flagging as something that should be looked at by organizations. And if they are applying similar policies, they need to know that this is not consistent with privacy law."

Home Depot says it worried about 'consent fatigue'

Home Depot told Dufresne's office that it relied on implied consent and that its privacy statement — accessible through its website and in print upon request at retail locations — explained that the company uses de-identified information for internal business purposes.

"The explanations provided in its policies were ultimately insufficient to support meaningful consent," Dufresne said in a media release.

Cavoukian said she was stunned by Home Depot's response.

"That's the part that is just mind-boggling to me, that companies think they can do whatever they want with their customers' information and their customers won't care about it," she said.

Home Depot said it did not notify customers of its sharing agreement with Meta when they were at checkout before prompting an e-receipt, due to the risk of "consent fatigue."

Dufresne didn't buy that argument, either.

"Consent fatigue is not a valid reason for failing to obtain meaningful consent," he wrote.

"When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer's decision about whether or not to obtain an e-receipt."

Wendy Wong is a professor of political science at the University of British Columbia's Okanagan campus; she specializes in human rights issues related to big data. She said the idea of meaningful consent needs to be reconsidered.

"I don't think it's consent fatigue. I think the types of things we're being asked to consent to as the public and as consumers have ballooned to the point where it's not meaningful anymore," she said.

"I think that we're placing the onus on the public to understand complex and vague legal documents and to assume everyone understands what's going on when it's about data that's being collected about us."

Home Depot has agreed to implement the commissioner's recommendations — including the recommendation that it stop disclosing the personal information of customers who request electronic receipts to Meta until it is able to put better consent measures in place.

"We value and respect the privacy of our customers and are committed to the responsible collection and use of information. We'll continue to work closely with the Office of the Privacy Commissioner of Canada," said an unnamed spokesperson in an email to CBC.

Complaint raised by customer

The federal watchdog was alerted to the issue by a man who complained that while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases at Home Depot.

According to the report, he went to the Office of the Privacy Commissioner when Home Depot incorrectly told him that they had not shared his information with Meta.

Wong said Canadians should be aware of the data and patterns they are sharing and should demand that their governments take action.

"Look, data collection has implications for individuals but also for us as a collective, as a public," she said.

"We really need to push our policymakers to not just focus on individuals being violated here in this situation, but actually how this affects us as a society, right? What does it mean when so much data about so many of our individual activities are being collected and triangulated and analyzed in these vast datasets."

Home Depot's Canada wing operates about 180 stores across the country.

A spokesperson for Home Depot's headquarters said the company doesn't use the Meta tool in the U.S.

In 2014, Home Depot revealed a massive data breach that affected 56 million debit and credit cards. In that case, the Atlanta-based company said hackers initially accessed its network with a third-party vendor's username and password.

Home Depot said the hackers then deployed malware on Home Depot's self-checkout systems to gain access to the card information of customers who shopped at its U.S. and Canadian stores for months.