It was reported recently in the media that Home Depot violated privacy of hundreds of its customers by virtue of sharing details from electronic receipts with Meta in 2018 — including encoded email addresses and in-store purchase information — without the knowledge or consent of customers. META of course is the owner of Facebook. Apparently the agreement to share this information commenced in 2018 and continued for four years until they stopped in October, 2022.
The Home Depot Canada division was using the social media’s service called “offline conversions”. According to the privacy report authored by Privacy Commissioner Philippe Dufresne, “information sent to Meta was used to determine whether a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s ads to gauge their effectiveness. The program’s contract terms also allowed Meta to use the customer information for its own business purposes, including user profiling and targeted advertising unrelated to Home Depot.
It was further revealed that “While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality,” said the commissioner’s report. A spokesperson for Home Depot said only non-sensitive information — such as the department in which a purchase was made — was used as part of the Meta program. During a news conference Thursday, Dufresne said that even knowing when and how often a person buys an item can expose personal details. “The more information you have about an individual, the more you can create an image of that person. And so that’s why it is something that absolutely has to be taken seriously by organizations,” he said.
You can see how companies will argue that just noting the item someone buys and from which department is an innocent fact devoid of identifying the essential identity of a person. However, the Privacy Commissioner correctly observes that purchasing habits of a person is a noteworthy identifier of an individual and that such invasion of shopping habits is a violation of privacy which should be met with punishment under the law. However, the current PIPEDA legislation that was drafted in the early days of the internet over 22 years ago is woefully behind the times. Unfortunately, only the embarrassment of public outing to Home Depot is the only punishment that is meted out. The new BILL C-27 does have teeth such as very large fines in the millions of dollars.
The company responded that they did not share the agreement with Meta due to “consent fatigue”. The Commissioner did not buy this excuse. Meaningful consent is the key goal to be kept in mind. Unless meaningful consent is obtained, one cannot and is not authorized to use the email a customer provides when issued their e receipt.
How was this issue uncovered in the first place? “The federal watchdog was alerted to the issue by a man who complained that while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases at Home Depot. According to the report, he went to the Office of the Privacy Commissioner when Home Depot incorrectly told him that they had not shared his information with Meta.”
If it was not for the vigilance of this one customer, who knows how much longer Home Depot would have gotten away with the agreement with Meta for use of this private information? It seems that the younger generation of today does not really take a second to consider the privacy implications by such corporate bodies. The new Bill C-27 will certainly bring a welcome change as it will undoubtedly force companies to be more scrutinizing when it comes to such agreements with social media giants like Meta.
David H. Davis of Davis Cyber Law specializes in strategic risk management, incident response, privacy & data protection, and advocacy. He can be reached by email at david@daviscyberlaw.com or by telephone at 204-956-2336. We are also on the web at www.daviscyberlaw.com
