Home Depot Canada Found Sharing Customer Personal Data With Meta

Home Depot's Canadian arm was found to be sharing details from e-receipts related to in-store purchases with Facebook owner Meta Platforms without the knowledge or consent of its customers, according to Canada's privacy regulator. From a report: An investigation by the Office of the Privacy Commissioner of Canada (OPC) found that by participating in Meta's offline conversions program Home Depot shared the e-receipts that included encoded email addresses and purchase information. The regulator added that the home goods chain stopped sharing customer information with Meta in October 2022, which was among the recommendations made by OPC, until the company is able to implement measures to ensure valid consent.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Way Smarter Then You]

And warranty registration, unfortunately.

Poison the well people

[RitchCraft]

Whenever I'm asked for any personal information at checkouts or need to enter my phone number for "discounts" I always make shit up. Oh, and always pay in cash if you can. The latest name I use ... Richard Tater. My email, why yes, it's d1kt8t0r@gmail.com, thanks for asking.

Re:

[Opportunist]

This right there.

Bonus points if you buy doggy treats and condoms (and nothing else) with your customer card. The spam you get really is interesting.

Re:

[RitchCraft]

You've taken it to the arsenic level my friend. But I might suggest using someone else's customer card.

Re:

[Opportunist]

Why? Let them guess.

It's not like I buy condoms and bonbons...

US side had to know

[MooseTick]

There is no way the US side of Home Depot didn't know about this and obviously decided it was ok. Now any transaction from HD may have been shared with any entity that could have an economic interest. In a few decades people will be shocked at how the information "wild west" allowed companies to buy and sell info about people with little or no oversight. And all this after multiple data leaks that cost billions of dollars.

Re:

[Big Bipper]

The US side probably started selling data to Meta first, but just haven't been outed yet.

Creepy As F***

[gflash]

I recently purchased an item at a Home Depot store. I did not provide any email.

I received an email a day later asking how I liked the product. WTH???

I guess they know how they did it - they matched the credit card details to a previous transaction I must have done via the website. I guess this is standard business practice now but I really don't like it.

Re:

[Opportunist]

Credit card for online, debit card for brick'n'mortar.

Re:

[sysrammer]

Mmm. I quit using a c/c a while back, deciding that a debit card was adequate. Perhaps I should reconsider.

Say no to e-receipts

[garett_spencley]

Glad I always say "no" to an email receipt and just take the paper when I shop there. Not a chance in hell they're getting my e-mail address, and nonsense like this is why.

Re:

[gflash]

They may match it to you anyway as I recently found out. Didn't provide an email at checkout but received an email a couple of days later asking for a review.

Re:

[Opportunist]

I made it an interesting pastime to create a mail address for every shop I go to, then check which ones get what kind of spam to see who sells my mail to whom.

Re:

[sysrammer]

That's a good technique.

Re:

[arosenfield]

If you pay with the same credit card that's ever been attached to your email address via the same payment processor (even at another store), they can link it up with you. I've had various merchants that use Square/Stripe/Toast/etc. add me to their mailing lists without my consent, even though I never gave them my email, because I had given my email to some other random merchant that used the same card.

You gotta either pay with cash, or pay with a card that's never been linked with your email (hard to do),

EVEN WORSE...

[Anonymous Coward]

Major tax-filing websites secretly share income data with Meta

https://arstechnica.com/tech-p... [arstechnica.com]

But slashdot decided that this was unimportant, and didn't bother to post the submission.

Aw, crap. Cat's out of the bag.

[Petersko]

Now everybody knows I bought two shovels, a snow blower, and a some pest control packs in the last six months. I'm screwed.

Kidding aside, I let them have my info. I actually buy enough from them that having pdf receipts emailed to me is handy. I already use a points VISA for everything - my purchase info is in the wild no matter what, so I opt for convenience.

I just use one common dumping-ground email for this stuff - a digital graveyard from which I only retrieve receipts and invoices.

Re:

[fropenn]

Let's say you bought new door locks and are planning on kicking out your abusive spouse. Do you want to make it publicly known (especially to the abuser) that this is coming?

Re:

[Petersko]

I don't understand your use case. In the unlikely event that your abuser has access to credit card data and is watching it, pay in cash. Home Depot Canada's POS units ask you if you'd like paper only or an emailed receipt. Choose paper only.

So what?

[Murdoch5]

We have terrible policies for data security, protection and safety in Canada. Our entire system is built around, "Well eh, uhhh how about you just don't take a look there, and ummm we'll close the file containing the print-out eh!". It doesn't matter what data you're talking about, be it sensitive tax documents with the CRA, medical records with Health Canada, or buying a candy bar from the corner store, all your data is essentially open, unprotected, and around for everyone to see as they wish.

Home Depo

Re:

[ceoyoyo]

WTF are you talking about? This story is about a company breaking privacy laws and getting caught. Canadian privacy laws regarding health data are some of the strongest in the world.

Re:

[Murdoch5]

No, Canada doesn't give a flying F about data privacy, and it doesn't matter if you're talking health data, tax data, or anything else, and that's regardless if our health data privacy protections qualify as "some of the strongest in the world".

What aspect of our health data is protected? None of the data is encrypted, which as a first pass means it's absolutely insecure, apart from that major issue it's not required to be encrypted in transit, or protected from "prying eyes". If you're a nurse or docto

Re:

[ceoyoyo]

That's quite the screed. It's also mostly fantasy.

Re:

[Murdoch5]

Nothing about it is fantasy, it's sad you think the government cares, truly sad.

Re:

[ceoyoyo]

You should stop being sad and cynical and do a bit of research about the things you're working yourself up over.

I'm not going to go through your whole rant because people get paid a lot of money to explain privacy requirements and I'm fortunately not one of them. So just take your assertion that heath data isn't encrypted.

First off, healthcare is a provincial responsibility in Canada. Health Canada doesn't have your medical records, and doesn't want them. If you live in a sensible province your privacy is p

Re:

[Murdoch5]

Just to be clear, I'm not debating standards exist, I'm debating they're not acceptable. If you want a quick summary to how bad things are, just consult: https://www.ipc.on.ca/wp-conte... [ipc.on.ca] That link was given to me from the IPC: "info@ipc.on.ca" when I demanded to know why records weren't sent via encrypted email. To date, nothing has changed!

Health Canada gets involved when you need federal intervention. A good example of that would be medical cannabis, which if you have a valid license to consume, bu

Re:

[KorioLiam]

This can be said not only about Canada. Social networks are universal and their owners collect data without informing their users. This is a reason to think for everyone who does not want their private life to fall into someone's lists. I myself am not without sin and often use married women dating (Nastyhookups [nastyhookups.com]). But I have an understanding that such a service can give you anonymous use, unlike FB or mobile applications .. Soon everyone will switch to this format.

Re:

[0xG]

The point is that they didn't break any laws. They were caught doing something unethical and underhanded, yes.
But no charges have been laid; just a scolding.
Canada desperately needs something like the GDPR.

Re:

[ceoyoyo]

https://www.theglobeandmail.co... [theglobeandmail.com]

The privacy commissioner disagrees with you.

I fell for it once

[internetd00du]

I was in a good mood and the sales person said e-receipts can't be lost etc etc. I made jokes about spam, and the guy assured me he's ticking the box for no spam.

I honest to god, started getting spam from the company every couple days. I emailed to complain and brought up GDPR... after 2 or 3 weeks the spam stopped.

You can't trust companies with your data even if they pinky swear to be nice. And since my wife was witness to the whole thing in the store... she doesn't write it off as a rant.

Re: I fell for it once

[volcan0]

My favorite one is using a contact form, never hearing back from the company I wanted to buy from and then getting put on their mailing list.