GATINEAU, QC, January 26, 2023 – Convenient and environmentally friendly, e-receipts are the way of the future, but they are also raising questions about consumer privacy.
It is an issue highlighted in a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) into Home Depot of Canada Inc. (Home Depot). By participating in Meta Platforms Inc.’s Offline Conversions program, Home Depot was found to be sharing details from e-receipts – including encoded email addresses and in-store purchase information – with Meta, which operates the Facebook social media platform, without the knowledge or consent of customers.
“As businesses increasingly look to deliver services electronically, they must carefully consider any consequential uses of personal information, which may require additional consent,” Commissioner Philippe Dufresne said.
“In this case, it is unlikely that Home Depot customers would have expected that their personal information would be shared with a third party social media platform simply because they opted for an electronic receipt. As Canada marks Data Privacy Week, it is the perfect time to remind companies that they must obtain valid consent at the point of sale to engage in this type of business activity.”
The investigation found that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer’s in-store purchases, were also sent to Meta.
Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.
Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.
While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality.
During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program.
The OPC, however, rejected Home Depot’s argument as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the OPC found that Home Depot’s privacy statement did not clearly explain the practice in question.
“The explanations provided in its policies were ultimately insufficient to support meaningful consent,” Commissioner Dufresne said.
“When customers were prompted to provide their email address, they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company. This information would have been material to a customer’s decision about whether or not to obtain an e-receipt.”
The company said that it did not notify customers of its information sharing agreement with Meta just prior to issuing e-receipts due to the risk of “consent fatigue.”
“Consumers need clear information at key transaction points, empowering them to make decisions about how their personal information should be used,” Commissioner Dufresne said. “Consent fatigue is not a valid reason for failing to obtain meaningful consent. Many customers would be surprised, as the complainant was in this case, to learn that their personal information had been shared with a third party like Facebook without their knowledge and consent.”
As a result of the investigation, the OPC recommended that Home Depot:
- cease disclosing the personal information of customers requesting an e-receipt to Meta until it is able to implement measures to ensure valid consent;
- implement measures to obtain express, opt-in consent from customers prior to sharing the information with Meta, should it resume the practice; and
- ensure meaningful consent by providing customers requesting an e-receipt with key information regarding its sharing of information with Meta at the point of sale, and by strengthening its privacy statement to include a detailed explanation of its practices and how customers can withdraw consent.
Home Depot was fully cooperative throughout the investigation and has agreed to implement the OPC’s recommendations. The company stopped sharing customer information with Meta in October 2022.
Further reading
Report of Findings: Investigation into Home Depot of Canada Inc.’s compliance with PIPEDA
Contact information for media
Office of the Privacy Commissioner of Canada
Communications@priv.gc.ca
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…