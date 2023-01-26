The federal privacy commissioner takes questions following the release of his report into Home Depot's sharing of customer e-receipt information with Meta Platforms Inc., which operates Facebook.

Home improvement retailer Home Depot didn't get customer consent before sharing personal data with Meta, which operates social media sites Facebook and Instagram, according to a new report by Canada's privacy watchdog.

Privacy Commissioner Philippe Dufresne released the findings of his latest investigation Thursday morning.

It found Home Depot was sharing details from electronic receipts since 2018 — including encoded email addresses and in-store purchase information — with Meta without the knowledge or consent of customers. The company said it stopped sharing customer information with Meta in October 2022.

Home Depot's Canada division was using a service provided by the social media giant called "offline conversions."

According to the privacy report, information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person's in-store purchases to Home Depot's ads to gauge their effectiveness.

The program's contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.

'Highly sensitive'

"While the details of a person's in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual's health or sexuality," said the commissioner's report.

Home Depot told Dufresne's office that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, explained that the company uses de-identified information for internal business purposes.

Federal privacy commissioner Philippe Dufresne

"The explanations provided in its policies were ultimately insufficient to support meaningful consent," Dufresne said in a release.

The company said that it did not notify customers of its sharing agreement with Meta when they were at checkout before prompting an e-receipt, due to the risk of "consent fatigue."

Dufresne didn't buy that argument, either.

"Consent fatigue is not a valid reason for failing to obtain meaningful consent," he wrote.

"When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer's decision about whether or not to obtain an e-receipt."

Home Depot has agreed to implement the commissioner's recommendations.

Complaint raised by customer

The federal watchdog was alerted to the issue by a man who complained that while he was deleting his Facebook account, he learned that Meta had a record of most of his in-store purchases at Home Depot.

According to the report, he went to the Office of the Privacy Commissioner after receiving an dissatisfactory response from Home Depot when they incorrectly advised that they had not shared his information with Meta

Home Depot's Canada wing operates about 180 stores across the country.

Past breach

In 2014, Home Depot revealed a massive data breach that affected 56 million debit and credit cards. In that case, the Atlanta-based company said hackers initially accessed its network with a third-party vendor's username and password.

Home Depot said the hackers then deployed malware on Home Depot's self-checkout systems to gain access to the card information of customers who shopped at its U.S. and Canadian stores for months.