Home Depot is in hot water, with its Canadian division sharing customer data with Meta without the proper consent.
The Office of the Privacy Commissioner of Canada (OPC) found that Home Depot of Canada had been sharing customers’ e-receipt information with Meta. The information included email and in-store purchases.
“As businesses increasingly look to deliver services electronically, they must carefully consider any consequential uses of personal information, which may require additional consent,” Commissioner Philippe Dufresne said.
“In this case, it is unlikely that Home Depot customers would have expected that their personal information would be shared with a third party social media platform simply because they opted for an electronic receipt. As Canada marks Data Privacy Week, it is the perfect time to remind companies that they must obtain valid consent at the point of sale to engage in this type of business activity.”
The OPC’s investigation showed the behavior had been going on since at least 2018. Meta evidently used the info to compare users’ purchases with the Home Depot ads showing in their Facebook feeds, providing information regarding the effectiveness of ad campaigns.
Home Depot defended its action by saying it relied on “implied consent” and that its privacy policy was available for all to read. That policy says the company may use “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” such as “with third parties.”
Thankfully, the OPC didn’t buy the Home Depot’s defense.
“The explanations provided in its policies were ultimately insufficient to support meaningful consent,” Commissioner Dufresne said.
“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”
The OPC also did not buy Home Depot’s explanation that it didn’t expressly ask for consent in an effort to avoid causing “consent fatigue” among consumers.
“Consumers need clear information at key transaction points, empowering them to make decisions about how their personal information should be used,” Commissioner Dufresne said. “Consent fatigue is not a valid reason for failing to obtain meaningful consent. Many customers would be surprised, as the complainant was in this case, to learn that their personal information had been shared with a third party like Facebook without their knowledge and consent.”
As we have stated at WPN many times before, it’s completely understandable when free services use consumer information as a way to offset the cost of offering those free services. When consumers are paying for a product or service, however, there is absolutely no excuse for then collecting and monetizing the consumer’s information.
In this case, the only thing more insulting than Home Depot’s actions was its lame justification of those actions. Thankfully, the OPC saw right through Home Depot’s arguments.