Home Depot sent my email, details of stuff I bought to Meta, customer complains
DIY store didn't get 'valid consent,' says Canada's regulator
Canada's Home Depot has stopped using Meta's "Offline Conversions" tool, it confirmed to a regulator dealing with a man's complaint after he discovered his visits to the home improvement shop had been recorded.
According to an investigation by the nation's privacy commissioner (OPC), it received a complaint from the customer claiming Home Depot was breaking Canada's Personal Information Protection and Electronic Documents Act (Pipeda), which requires a person's "knowledge and consent" for the collection, use and disclosure of their personal information.
He said that while he was deleting his Facebook account, he took a look at "Off-Facebook Activity" and learned that Meta actually had a "record of most of his in-store purchases made at Home Depot."
The man escalated the issue to the OPC after Home Depot "incorrectly advised that they had not shared his information with Meta."
The report explained what exactly had been done, and it makes for creepy reading:
Specifically, Home Depot forwards the customer's hashed email address and offline purchase details to Meta when the customer provides their email address to Home Depot, at checkout, to obtain an e-receipt.
Meta then matches the email to the customer's Facebook account. If the customer has a Facebook account, Meta compares offline purchase information to ads delivered to the customer on Facebook, to measure effectiveness of those ads, and provides results of that analysis back to Home Depot in the form of an aggregated report.
It added: "Meta can also use the customer's information for its own business purposes, including targeted advertising, unrelated to Home Depot."
The commissioner said Home Depot claimed it had customers' "implied consent" but said that actually the customers had given nothing of the sort, were "completely unaware of the practice," and "would not reasonably expect it," adding that they'd given their email address to get an e-receipt, not to have it used for "secondary purposes, let alone for disclosure to Meta to be used for its own separate business purposes."
Home Depot also referenced "consent fatigue" as a rationale for why, at the time the customer requested an e-receipt, it did not notify them of its practices of sharing information with Meta, the regulator added. But OPC added that this wasn't enough to say consent had been obtained.
The home improvement giant stopped using Meta's Offline Conversions Tool in October 2022 to comply with the commissioner's recommendations, leading the privacy body to declare the issue "resolved."
- Facial-recognition technology gets a smack in the chops from civil rights campaigners
- Intel accused of wiretapping because it uses analytics to track keystrokes, mouse movements on its website
- The internet becomes trademarkable, sort of, with near-unanimous Supreme Court ruling on Booking.com
- Poor Meta. Technical debt and user training made its exabyte-scale data migration tricky
The real question, though, is whether seeing an ad on Facebook would even have mattered when the complainant went to buy a fuse, or some tarp, or a hammer at what was probably the nearest store in his neighborhood. Slurping up his data to that extent where you're inferring his FB presence from a hashed email and then checking ads shown against purchases... it's all completely over the top.
It doesn't take away from the fact that, without consent, Home Depot had no business sending receipts to Meta and Meta had no business knowing, but it's an intriguing tale that makes us want to sign right out of everything nonetheless.
And protip: most folks have a smartphone they can use to take a picture of receipts. Whether you then load them onto a receipts app (check the permissions it requests) is another choice.
A Home Depot spokesperson told The Register: "Even though our use of a Meta analytics tool involved the use of only non-sensitive information – i.e. the department in which a purchase was made – as a precaution, we stopped using the tool once the Office of the Privacy Commissioner of Canada expressed concerns about it in October 2022.
"We have no intention of reintroducing the tool at this time and would take the OPC's recommendations into account if that decision changes in the future." It added: "We value and respect the privacy of our customers and are committed to the responsible collection and use of information." ®