Retailer Home Depot shared details from electronic receipts with Meta, which owns the social media platform Facebook, without the knowledge or consent of customers, the federal privacy watchdog has found.
In a report released Thursday, privacy commissioner Philippe Dufresne said the data included encoded email addresses and in-store purchase information.
The commissioner’s investigation discovered that the information sent to Meta was used to see whether a customer had a Facebook account.
If they did have an account, Meta compared what the customer bought at Home Depot to advertisements sent over the platform to measure and report on the effectiveness of the ads.
Meta was also able to use the customer information for its own business purposes, including user profiling and targeted advertising unrelated to Home Depot, the commissioner found.
It is unlikely that Home Depot customers would have expected their personal information to be shared with a social media platform simply because they opted for an electronic receipt, Dufresne said in a statement.
He reminded companies that they must obtain valid consent at the point of sale to engage in this type of activity.
“As businesses increasingly look to deliver services electronically, they must carefully consider any consequential uses of personal information, which may require additional consent.”
Details of a person’s in-store purchases might not have been sensitive in the context of the home-improvement retailer, but they could be in other cases, revealing information about an individual’s health or sexuality, he added.
At a news conference, Dufresne suggested the Home Depot matter was not an isolated case.
“Our investigation focused on one organization, one situation, but our sense is that these tools are widely used. And this is why the message today is that all organizations should review their practices.”
Home Depot told the privacy commissioner it relied on implied consent and that its privacy statement, available through its website and in print upon request at retail outlets, adequately explained the company’s use of information. The retailer also cited Facebook’s privacy statement.
The commissioner rejected Home Depot’s argument, saying the privacy statements were not readily available to customers at the checkout counter and shoppers would have no reason to seek them out.
“The explanations provided in its policies were ultimately insufficient to support meaningful consent,” Dufresne’s statement said.
He recommended that Home Depot stop disclosing the personal information of customers who request an electronic receipt to Meta until it is able to put in place measures to ensure valid consent.
Home Depot fully co-operated with the investigation, agreed to implement the recommendations and stopped sharing customer information with Meta in October, the commissioner said.