Canada’s Home Depot has stopped using Meta’s “Offline Conversions” tool, it confirmed to a regulator dealing with a man’s complaint after he discovered his visits to the home improvement shop had been recorded.
According to an investigation by the nation’s privacy commissioner (OPC), it received a complaint from the customer claiming Home Depot was breaking Canada’s Personal Information Protection and Electronic Documents Act (Pipeda), which requires a person’s “knowledge and consent” for the collection, use and disclosure of their personal information.
He said that while he was deleting his Facebook account, he took a look at “Off-Facebook Activity” and learned that Meta actually had a “record of most of his in-store purchases made at Home Depot.”
The man escalated the issue to the OPC after Home Depot “incorrectly advised that they had not shared his information with Meta.”
The report explained what exactly had been done, and it makes for creepy reading:
It added: “Meta can also use the customer’s information for its own business purposes, including targeted advertising, unrelated to Home Depot.”
The commissioner said Home Depot claimed it had customers’ “implied consent” but said that actually the customers had given nothing of the sort, were “completely unaware of the practice,” and “would not reasonably expect it,” adding that they’d given their email address to get an e-receipt, not to have it used for “secondary purposes, let alone for disclosure to Meta to be used for its own separate business purposes.”
Home Depot also referenced “consent fatigue” as a rationale for why, at the time the customer requested an e-receipt, it did not notify them of its practices of sharing information with Meta, the regulator added. But OPC added that this wasn’t enough to say consent had been obtained.
The home improvement giant stopped using Meta’s Offline Conversions Tool in October 2022 to comply with the commissioner’s recommendations, leading the privacy body to declare the issue “resolved.”
The real question, though, is whether seeing an ad on Facebook would even have mattered when the complainant went to buy a fuse, or some tarp, or a hammer at what was probably the nearest store in his neighborhood. Slurping up his data to that extent where you’re inferring his FB presence from a hashed email and then checking ads shown against purchases… it’s all completely over the top.
It doesn’t take away from the fact that, without consent, Home Depot had no business sending receipts to Meta and Meta had no business knowing, but it’s an intriguing tale that makes us want to sign right out of everything nonetheless.
And protip: most folks have a smartphone they can use to take a picture of receipts. Whether you then load them onto a receipts app (check the permissions it requests) is another choice.
A Home Depot spokesperson told The Register: “Even though our use of a Meta analytics tool involved the use of only non-sensitive information – i.e. the department in which a purchase was made – as a precaution, we stopped using the tool once the Office of the Privacy Commissioner of Canada expressed concerns about it in October 2022.
“We have no intention of reintroducing the tool at this time and would take the OPC’s recommendations into account if that decision changes in the future.” It added: “We value and respect the privacy of our customers and are committed to the responsible collection and use of information.” ®