{"id":34641,"date":"2023-01-26T10:46:40","date_gmt":"2023-01-26T15:46:40","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=524015"},"modified":"2023-01-27T09:41:39","modified_gmt":"2023-01-27T14:41:39","slug":"breaking-news-home-depot-canada-criticized-by-privacy-commissioner","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/breaking-news-home-depot-canada-criticized-by-privacy-commissioner\/","title":{"rendered":"Breaking news: Home Depot Canada criticized by privacy commissioner"},"content":{"rendered":"

The Canadian division of Home Depot didn\u2019t get customers\u2019 consent before sharing details of customers\u2019 e-receipts \u2013 including encoded email addresses and in-store purchase information \u2013 with Facebook parent Meta Platforms, says Canada\u2019s privacy commissioner.<\/p>\n

In a report released Thursday,<\/a> Commissioner Philippe Dufresne said Home Depot of Canada<\/a> confirmed that the data was shipped without the knowledge or consent of customers in violation of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).<\/p>\n

It was done through Meta\u2019s Offline Conversions program. Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer\u2019s in-store purchases, were also sent to Meta.<\/p>\n

\u201cWhen customers were prompted to provide their email address [at check-out], they were never informed that their information would be shared with Meta by Home Depot, or how it could be used by either company,\u201d Dufresne said in a news release accompanying the decision. \u201cThis information would have been material to a customer\u2019s decision about whether or not to obtain an e-receipt.\u201d<\/p>\n

\u201cAs businesses increasingly look to deliver services electronically, they must carefully consider any consequential uses of personal information, which may require additional consent,\u201d Dufresne said.<\/p>\n

\u201cIn this case, it is unlikely that Home Depot customers would have expected that their personal information would be shared with a third-party social media platform simply because they opted for an electronic receipt.<\/p>\n

\u201cAs Canada marks Data Privacy Week<\/a>, it is the perfect time to remind companies that they must obtain valid consent at the point of sale to engage in this type of business activity.\u201d<\/p>\n

Information sent to Meta was used to verify if a customer had a Facebook account, the ruling said. If they did, Meta compared the person\u2019s in-store purchases to Home Depot\u2019s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta\u2019s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.<\/p>\n

Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.<\/p>\n

While the details of a person\u2019s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual\u2019s health or sexuality.<\/p>\n

During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses \u201cde-identified information for internal business purposes, such as marketing, customer service, and business analytics.\u201d The website statement also says the company \u201cmay share information for business purposes,\u201d including \u201cwith third parties.\u201d Home Depot also relied on Facebook\u2019s privacy statement, which explained the Offline Conversions program.<\/p>\n

The commissioner rejected that argument, as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the commissioner found that Home Depot\u2019s privacy statement did not clearly explain the practice.<\/p>\n

The company said that it did not notify customers of its information sharing agreement with Meta just prior to issuing e-receipts due to the risk of \u201cconsent fatigue.\u201d<\/p>\n

\u201cConsumers need clear information at key transaction points, empowering them to make decisions about how their personal information should be used,\u201d\u00a0 Dufresne said. \u201cConsent fatigue is not a valid reason for failing to obtain meaningful consent. Many customers would be surprised, as the complainant was in this case, to learn that their personal information had been shared with a third party like Facebook without their knowledge and consent.\u201d<\/p>\n

As a result of the investigation, the\u00a0Office of the Privacy Commissioner (OPC) recommended that Home Depot:<\/p>\n