Home Depot warns amid customer privacy fears as it slams over ‘stunning’ apology after shoppers became vulnerable

HOME Depot Canada has been accused of failing to obtain customer consent prior to sharing personal information with Meta, leaving many shoppers at risk.

The shock claim came in a Thursday report following an investigation by the Office of the Privacy Commissioner of Canada (OPC).

1

Data protection officer Philippe Dufresne claimed that the hardware retailer “shared details from electronic receipts – including encrypted email addresses and in-store purchase information – with Meta without the knowledge or consent of the customers concerned”.

“As companies increasingly look to deliver services electronically, they must carefully consider any subsequent uses of personal data that may require additional consent,” the commissioner said in the report.

Its investigation found that Home Depot’s Canadian division has been collecting customer emails at checkouts to provide e-receipts since at least 2018.

At the same time, however, these encrypted email addresses and other information were sent to Meta.

The purpose of sharing data was reportedly “to verify that a customer had a Facebook account.”

If so, Meta would use the person’s purchase information at the store and compare it to Home Depot ads on the customer’s social media account.

The tech giant would then “measure and report on the effectiveness of those ads.”

Once in possession of the individual’s data, Meta could use the individual’s data for “their own business purposes,” according to the Watchdog report.

These include “user profiling” and “targeted advertising unrelated to Home Depot.”

While the email addresses were reportedly encrypted – so Facebook employees couldn’t read them – the purchase information doesn’t appear to have been in the store.

The OPC claims that Facebook may have been in possession of other “highly sensitive” details such as health or sexuality data.

It wasn’t immediately clear how many customers had shared their information, but Home Depot operates approximately 182 stores across Canada.

The investigation stemmed from a complaint from a man who, according to CBC, learned that Meta had a record of his Home Depot purchases when he deleted his Facebook account.

Home Depot confirmed to The US Sun that the retailer’s US division “is not using this technology.”

While Home Depot’s Canada division stopped sharing customer information with Meta in October 2022, a spokesman said only “non-sensitive information” was shared — like the department where an item was purchased.

During the investigation, the company claimed it relied on “implicit consent” and its privacy policy explained the purposes for which customer information could be used.

The privacy statement is accessible via the website and is available in printed form upon request.

The OPC eventually dismissed the argument, saying the privacy notices were not readily available and did not clearly explain the practice of sharing information.

“The explanations in his guidelines were ultimately insufficient to support meaningful consent,” Dufresne said.

“When customers were asked to provide their email address, they were never informed that their information would be shared by Home Depot with Meta or how it might be used by either company,” he continued.

“This information would have been essential in a customer’s decision as to whether or not to receive an electronic receipt.”

Former Ontario privacy commissioner Ann Cavoukian also blasted the excuse, calling it “stunning”.

“That’s the part that’s just amazing to me, that companies think they can do whatever they want with their customers’ information and their customers won’t care,” she said.

Additionally, Home Depot claimed that it failed to inform customers of the practice before issuing receipts due to the risk of “consent fatigue.”

Dufresne called this “no valid reason for not obtaining meaningful consent.”

“Consumers need clear information at key transaction points that empowers them to make decisions about how their personal information should be used,” he said.

“Many customers, like the complainant in this case, would be surprised to learn that their personal information was shared with third parties like Facebook without their knowledge and consent.”

Home Depot told The US Sun that it “values ​​and respects” the privacy of its customers and is “committed to the responsible collection and use of information.”

“We will continue to work closely with the Office of the Data Protection Commissioner of Canada.”