Home improvement retailer The Home Depot’s Canada arm was found sharing people’s in-store purchase e-receipts with Facebook owner Meta without the knowledge or consent of those consumers, according to Canada’s privacy watchdog.

Top line

An investigation by the Office of the Privacy Commissioner of Canada (OPC) found that The Home Depot, via Meta’s Offline Conversions program, had been collecting customer email addresses and high-level in-store purchase information at store checkouts from 2018 through last October.

“In this case, it is unlikely that The Home Depot customers would have expected that their personal information would be shared with a third-party social media platform simply because they opted for an electronic receipt,” said Commissioner Philippe Dufresne, in a statement.

A Home Depot spokesperson said the issue was isolated to Canadian stores and the U.S. stores do not use this technology.

Between the lines

The information collected was sent to Meta to verify whether the customer had a Facebook account. If they did, Meta then compared the person’s in-store purchase to The Home Depot’s ads on the platform to measure and report on the effectiveness of those ads.

Home Depot Canada stores used Meta’s analytics tool for non-sensitive information. But regulators determined even details of a person’s in-store purchases can be classified as “highly sensitive.”

The Home Depot argued that it relied on implied consent and that its privacy statement can be found on its website and in store. The privacy statement states how the company plans to use the information for business purposes like “marketing, customer service, and business analytics with third parties.”

Bottom line

Other retailers, most recently Sephora stores in the U.S., have been on regulatory radars for similar data mishaps and privacy law violations that have cost them millions of dollars in fines.

While no fines have been levied on The Home Depot, the OPC has recommended the retailer stop sharing receipt details with Meta until they can seek valid consent from consumers.

The company is also required to implement measures for consumers’ opt-in consent and to strengthen its privacy statement.