The Home Depot home improvement store shared electronic receipt details with Meta, Facebook’s parent company, without customers’ knowledge or consent, the Privacy Commissioner of Canada has found.
In a report released Thursday, Commissioner Philippe Dufresne said the data shared by Home Depot included encrypted customer email addresses and information about their in-store purchases.
The commissioner’s investigation found that the information passed to Meta was used to determine if a customer had a Facebook account. If so, Meta would compare what the customer purchased from Home Depot to the ads on Facebook to gauge their effectiveness.
Meta may also have used customer information for its own business purposes, “including user profiling and ad targeting, unrelated to Home Depot,” the commissioner found.
The investigation thus revealed that “since at least 2018”, Home Depot collected the email addresses of customers, during their checkout, in order to send them an electronic receipt.
In a statement, Commissioner Dufresne says Home Depot customers are unlikely to expect their personal information to be shared with a third-party social media platform simply because they opted in at checkout. for an electronic receipt.
“When customers were asked to provide their email address [à la caisse], they were never told that their information would be shared with Meta and they were never provided with information on how Meta or Home Depot would use their information,” summarized Commissioner Dufresne. “This information would have been of great importance in the customers’ decision whether or not to request an electronic receipt. »
Mr. Dufresne reminds businesses that they must obtain valid customer consent at the time of sale before engaging in this type of commercial activity.
“Companies that are increasingly seeking to offer services online must take particular care in any use of the personal information they collect, as it may be necessary to obtain additional consent,” explained Commissioner Dufresne.
“Tacit Consent”
In its defence, Home Depot told the commissioner that it relied on “implied consent” and that its privacy statement, available on its website and in print on demand at retail outlets, explained appropriately the company’s use of the information. The retailer also cited Facebook’s privacy policy.
The commissioner rejected Home Depot’s arguments, saying the relied-on consent documents were not readily available at checkout — and customers had no reason to seek them out.
“The explanations offered in the company’s policies were insufficient to obtain valid consent,” concludes Commissioner Dufresne.
He recommended that until Home Depot is able to put measures in place to ensure valid consent, the retailer should stop disclosing to Meta the personal information of customers who request an electronic receipt at checkout.
The commissioner indicates that Home Depot cooperated fully with the investigation, agreed to follow up on the recommendations of the commissioner’s office. Home Depot also stopped sharing customer information with Meta in October, the commissioner added.