Canada’s privacy commissioner says Home Depot’s Canadian division didn’t get customers’ consent before sharing details of customers’ e-receipts — including encoded email addresses and in-store purchase information — with Facebook parent Meta Platforms.
In a report released on Thursday, Commissioner Philippe Dufresne said Canadian Home Depot confirmed that the data was sent without the customers’ knowledge or consent, in violation of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
This was done through Meta’s offline conversion program. Home Depot had been collecting customer email addresses at store checkout since at least 2018 for the stated purpose of providing customers with an electronic copy of their receipt. However, the investigation revealed that during this period encoded email addresses, high-level details of each customer’s in-store purchases were also sent to Meta.
“When customers are asked to provide their email address [at check-out]they were never informed that their information would be shared by Home Depot with Meta, or how it might be used by either company,” Dufresne said in a news release accompanying the decision. “This information would have been crucial to the customer’s decision about whether or not to receive an e-receipt.”
“As businesses increasingly look to delivering services electronically, they must carefully consider any consequential use of personal information, which may require additional consent,” Dufresne said.
“In this case, it is unlikely that Home Depot customers would have expected that their personal information would be shared with third-party social media platforms because they opted in to electronic receipt.
“As the mark of Canada data privacy weekIt is high time to remind companies that they have to obtain valid consent at the time of sale to engage in this type of commercial activity.”
The ruling said the information sent to Meta was used to verify whether a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases with Home Depot’s ads sent to the platform to measure and report on the effectiveness of those ads. Meta’s offline conversion contractual terms also allowed Home Depot to use customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.
Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals on Facebook. Meta employed an automated process that allowed it to match email addresses associated with Facebook accounts. Email addresses that aren’t already associated with a Facebook account can’t be linked to individuals.
While details of a person’s in-store purchases may not be sensitive in the Home Depot context, they may be highly sensitive in other retail contexts where they reveal, for example, information about a person’s health or sexuality. information in
During the investigation, Home Depot said it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company “for internal business purposes Identified Information uses, such as for marketing, customer service, and business analysis.” The website’s statement also says the company may share information “for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the offline conversion program.
The commissioner rejected that argument, because the privacy statements that Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. In addition, the commissioner found that Home Depot’s privacy statement did not clearly explain the practice.
The company said it did not inform customers about its information sharing agreement with Meta just prior to issuing e-receipts due to the risk of “consent fatigue”.
“Consumers need clear information at critical transaction points, empowering them to make decisions about how their personal information is used,” Dufresne said. “Consent fatigue is not a valid reason for failing to obtain meaningful consent. Many customers will be surprised, as the complainant in this case discovered, that their personal information was shared with third parties such as Facebook without their knowledge and consent. Went.
As a result of the investigation, the Office of the Privacy Commissioner (OPC) recommended that Home Depot:
- stop disclosing to Meta the personal information of customers requesting e-receipts until it is able to implement measures to ensure valid consent;
- implement measures to obtain express, opt-in consent from customers before sharing information with Meta, should this practice resume; And
- Meaningful by providing customers who request an e-receipt with important information regarding information sharing with META at the point of sale and by strengthening its privacy statement with a detailed explanation of its practices and how customers can withdraw consent Make sure you agree.
OPC said, Home Depot was fully cooperative during the investigation and has agreed to implement OPCrecommendations. The company stopped sharing customer information with Meta in October 2022.