Home Depot Canada did not comply with federal law when it shared data from e-mail receipts with the social media giant, Meta, without its customers’ consent, the Privacy Commissioner of Canada said Thursday, after the release of an investigation by his office that also served to warn other businesses that may be using similar practices.
Commissioner Philippe Dufresne said Home Depot treated customers’ choice to receive a receipt by e-mail, instead of a paper copy, as “implicit consent” to share their data with a third-party.
“This practice is not consistent with privacy law and has to stop,” Mr. Dufresne said at a news conference in Ottawa, adding that “any and all organizations” with such a practice are expected to come into compliance with the law.
Since 2018, Home Depot had been using a tool from Meta, which owns Facebook, that measures how Facebook ads affect real-world outcomes, such as purchasing habits. After the OPC’s investigation, Home Depot agreed to halt using it.
The Office of the Privacy Commissioner of Canada, or OPC, began its investigation after a complaint from an individual, who alleged that Home Depot’s practices contravened the Personal Information Protection and Electronic Documents Act, the federal legislation which governs privacy in the private sector. His complaint was deemed founded.
While the OPC can offer findings and make recommendations, it does not have the power to levy fines or issue orders. Mr. Dufresne said Thursday that while Home Depot was co-operative, “that’s not always going to be the case.” He said his office welcomes the development of Bill C-27, which relates to federal privacy laws, citing the possibility of fines being imposed under the proposed legislation.
The tool that Home Depot was using is known as “Offline Conversions.” In this case, when a customer opted for an e-mail receipt, an encoded format of their e-mail was shared with Meta, along with the broad category of their purchase, such as lumber, hardware or paint. (The encoded, or “hashed,” e-mails could not be read by individuals at Facebook.)
Meta would then automatically match the encoded e-mail to a customer’s Facebook account, if they had one, to compare their in-store purchases to ads they’d previously seen on Facebook – to measure the effectiveness of those ads.
While Meta provided aggregated reports to Home Depot, the social media company could also use the information for its own business purposes, including to conduct targeted advertising unrelated to the hardware store, the OPC found. At no point in the process of getting a receipt did Home Depot reference its data sharing arrangement with Meta, the OPC determined, according to a summary of its investigation posted online.
Meta declined to comment on this story.
Paul Berto, a spokesperson for Home Depot Canada, said the company has “no intention of reintroducing the tool at this time and would take the OPC’s recommendations into account if that decision changes in the future.”
He also said the information shared with Meta was “non-sensitive” in nature.
Mr. Dufresne said while the materials one purchases at a Home Depot outlet may not be sensitive, the company’s data-sharing with Meta was “so removed from the reasonable expectation of customers” that opt-in consent was required.
Matt Malone, an assistant professor of law at Thompson Rivers University who focuses on privacy issues, said companies that engage in this type of behaviour should be punished, noting that financial penalties are a good way to elicit change.
“What did Home Depot actually suffer in this situation? Nothing,” he said.
He also said that the focus on consent, as the arbiter for whether certain personal data can be gathered, is misguided, given the complexity of data-sharing.
“It’s impossible for us to actually consent – or not consent – to practices that we only vaguely understand,” he noted. “We need to shift back to an era where ads are not spying on us.”
Home Depot argued to the OPC that it had gained its customers’ consent through its own, as well as Meta’s, privacy policy. Mr. Dufresne did not agree with this assessment.
Sharon Polsky, the president of the Privacy and Access Council of Canada and a long-time privacy consultant, said she imagines this type of data-sharing is taking place “almost 100 per cent” of the time when Canadians opt for an e-receipt.
She said that while buying a 2x4 piece of lumber from Home Depot doesn’t represent sensitive data, the same data-sharing practice, at another store, could divulge highly-personal details about one’s health, sexuality, family life or diet.
“So many technological conveniences these days, they’re sold as conveniences, and that is all,” Ms. Polsky said. “But convenience comes at a cost, and as we are learning more and more and more, the cost is our privacy.”