Home Depot failed to get consent before sharing customer data with Meta, privacy office found

Home Depot has been collecting personal emails for e-receipts since at least 2018

The Office of the Privacy Commissioner (OPC) says Home Depot shared personal customer data with Meta without consent.

According to its investigation, the home repair store shared details, such as encoded email addresses and purchase information, from e-receipts with Meta through its Offline Conversions program. The feature contrasted in-store purchases with Home Dept ads shared on Facebook to examine how effective the ads were.

The investigation found Home Depot has been collecting email addresses to share e-receipts since at least 2018.

Information shared with Meta verified if customers had a Facebook account through an automated process. The emails were encoded, and Facebook employees couldn’t read them. However, Meta used personal information for user profiling and targeted advertising unrelated to Home Depot. The investigation says this was possible through Offline Conversions’ contractual terms.

Emails not connected to Facebook accounts weren’t linked to individual customers.

“While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality” a press release outlining the investigation states.

Home Depot said it “relied on implied consent,” and its privacy statement explains the company’s actions. The statement is available online or in print upon request at its retail locations. The company further said it didn’t share this information with customers before issuing e-receipts over “consent fatigue” concerns.

However, the OPC rejects the arguments, stating the privacy statement wasn’t “readily available” at retail locations, customers wouldn’t have any reasons to request such documents, and the practice wasn’t clearly explained.

“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company,” Commissioner Philippe Dufresne said. “This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”

Home Depot stopped sharing information with Meta in October 2022 and agreed to implement several OPC recommendations. This includes no longer sharing personal customer information with Meta until further notice and obtaining express consent from customers.

Image credit: Shutterstock 

Source: Office of the Privacy Commissioner of Canada

MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.

Related Articles