back to article Home Depot sent my email, details of stuff I bought to Meta, customer complains

Canada's Home Depot has stopped using Meta's "Offline Conversions" tool, it confirmed to a regulator dealing with a man's complaint after he discovered his visits to the home improvement shop had been recorded. According to an investigation by the nation's privacy commissioner (OPC), it received a complaint from the customer …

  1. b0llchit Silver badge

    rm -rf /

    When and how is that illegally collected data being destroyed in all its forms aggregations from all storage (and receivers who got data or derivatives)?

    1. Yet Another Anonymous coward Silver badge

      Re: rm -rf /

      Was it Home Depot in the USA that accidentally leaked all its customer credit card details to crooks ?

    2. fidodogbreath Silver badge

      Re: rm -rf /

      When and how is that illegally collected data being destroyed

      That would imply that laws apply to tech companies.

  2. Mike 137 Silver badge

    Makes one want to emigrate

    'The commissioner said Home Depot claimed it had customers' "implied consent"'

    Here in the UK, despite 'implied consent' being (at least currently) unlawful, you'll never get the regulator (ICO) to act on any complaint of this kind, despite the (also unlawful) surreptitious sharing of customer information with the big data slurpers being extremely widespread.

    1. chivo243 Silver badge

      Re: Makes one want to emigrate

      I will be emigrating back to the US after nearly 25 years, I'm currently in a country where you can refuse all cookies on cookie consent popups. Not sure how effective that is... but it's a step in the right direction.

      1. Anonymous Coward
        Anonymous Coward

        Re: Makes one want to emigrate

        The correct way to refuse cookies is to browse in incognito / private mode (maybe with browser completion to autofill your logins). Otherwise you're depending on the buggy implementation of a website instead of a much more well-tested browser. The European lawmakers might have got a better result if they've gone after the browser makers instead of insisting on a pop-up on every single commercial website (which I always accept because if I don't want to keep the cookies I'll be in incognito mode)

    2. Anonymous Coward
      Anonymous Coward

      Re: The commissioner said Home Depot claimed it had customers' "implied consent"'

      They stored piles of timber next to rags and flammable paint thinners - I think they had "implied consent" for burning the place down

      1. Anonymous Coward
        Anonymous Coward

        Re: The commissioner said Home Depot claimed it had customers' "implied consent"'


        "Home Depot also referenced 'consent fatigue' as a rationale" -- I'm expecting rapists to use the same argument soon...

  3. Snake Silver badge


    that's why, no matter what kind of looks I get for assuming that I'm just being a Luddite, I only buy with cash and never use those offerings of an e-receipt.

    No. Thank. You.


    Privacy for yourself is a personal responsibility. It always has been. Don't assume that others are doing it for you because they have vested interests not to.

    Thanks to *both* our corporatist governments - both the U.S. and the U.K., and DON'T even attempt to claim that your government is any better than the U.S. in this regard - always assume some corporation is collecting your information for to enhance their profit motives. Always. To believe otherwise is complete naivete.

    So damn it, stop using your credit cards for every £3 latte yet expecting that no one is looking over your shoulder at your purchase activities.

    1. chivo243 Silver badge

      Re: Annnnnnnd...

      Well said... I'm not a Troglodyte and a Luddite, but I play both in public when I'm asked these questions... I'm grey enough to pull it off!

      1. Anonymous Coward
        Anonymous Coward

        Re: Annnnnnnd...

        Youngsters can be gulled into believing we are ignorant of all the things that were actually invented when we were about 12 years old, and we spent half our lives working on. I'm adding faux deafness to my arsenal now.

        Membership has it's privileges!

        1. chivo243 Silver badge
          Thumb Up

          Re: Annnnnnnd...

          Selective hearing is the best. Getting lots of milage out of it!

    2. Anonymous Coward
      Anonymous Coward

      Re: Annnnnnnd...

      So damn it, stop using your credit cards for every £3 latte yet expecting that no one is looking over your shoulder at your purchase activities.

      Ah, you poor innocent creature. You have yet to learn the ways of the wise.

      I "give" them what they want, because I control the pattern they so develop. It suggests I have no idea, am an innocent citizen etc etc. It's less suspicious than a full blackout.

      "No officer, I buy everything with my card and as you can see there are no quicklime and carpet purchases there"

      Rule one of intercept is that the subject should not be aware of it or what you pick up may just be played for your benefit.

      You want my data and try to do this surrepticiously? Beware what you ask for.

      1. el_oscuro

        Re: Annnnnnnd...

        So you have confessed - you are the real BOFH.

      2. captain veg Silver badge

        Re: Annnnnnnd...


        We're genuinely not worthy.


    3. BillG

      Re: Annnnnnnd...

      I'm the same way - I pay with cash. It's not only about privacy, it's about not having my credit card slurped. It's also about sticking to a budget.

      But even when I pay with cash, many retailers will ask for a mobile phone number. Well, they don't really ask, while staring at the register they intone "What's your mobile number?" in a demanding tone of voice that assumes compliance. I've noticed that people automatically comply. But when I respond "No", there's usually a bit of comic relief when they hesitate, frown at me, and say it's for their rewards program or something like that. After a brief argument they give up.

      When it comes to privacy and data security, most people are frogs and let themselves be slowly boiled.

      1. Anonymous Coward
        Anonymous Coward

        Re: Annnnnnnd...

        I have a number I give. It is best to give them one as it is often beneficial for warrantee purposes.

        1. Dimmer Bronze badge

          Re: Annnnnnnd...

          I think there are at least 10 (and I have no idea who they are) of us using the h...or frei... inside track membership. They only ask for the number, never any ID.

          Try Time and Temp numbers. Skew the data.

      2. Pirate Dave Silver badge

        Re: Annnnnnnd...

        I just tell them I don't have a phone. "Sorry, I got rid of that a few months ago".

      3. Doctor Evil

        Re: Annnnnnnd...

        "But even when I pay with cash, many retailers will ask for a mobile phone number. Well, they don't really ask, while staring at the register they intone "What's your mobile number?" in a demanding tone of voice that assumes compliance. I've noticed that people automatically comply. But when I respond "No", there's usually a bit of comic relief when they hesitate, frown at me, and say it's for their rewards program or something like that. After a brief argument they give up.?"

        They want a number? Give them a number ... any old number you can make up on the spot: yours, varied by a single digit, or a completely unrelated string of the appropriate number of digits, or anything in between. There: request satisfied with no need for argument or raised blood pressure. No privacy violation either. And it's not as if they're going to immediately call or text the number to test it. The cashiers are given their script and have to follow it -- but feel free to salt their data. I've done it for years.

    4. captain veg Silver badge

      Re: Annnnnnnd...

      At least now I know why Decathlon (in France, at least) tries to grab your email address rather than printing out a receipt at the tills.

      It had puzzled me until now. If I don't want or need a receipt, which is possible, then I might appreciate the possibility of them not spraying tar and carbon on to dead tree. Though why, if that's an option, they continue to place hefty security staff next to the exit from the megashed is non-obvious. If I do want or need a receipt then I'd like a receipt. Not some trivially easily forged collection of bits sent to some random email address that I happen to chuck in their direction.

      Naturally I have thusfar declined, just because of suspicion of things that I don't immediately understand. I need to recalibrate my naivety-cynicism balance again. I just don't have the imagination to compete with people who think up this kind of shit.


      1. Archivist

        Re: Annnnnnnd...

        Maybe you should give them an email address comprised of the maximum 320 characters. That'll piss 'em off.

        1. captain veg Silver badge

          Re: Annnnnnnd...

          Generally if some fuckwit corporation insists on me giving them an email address, and if a moment's reflection reveals that there's no way they can validate it (e.g. airport WiFi where you have to provide an email address before you can access, but there is no way that they could email you an authorisation code because you don't yet have access to the WiFi) then I make up something in the domain <>. It could be <> or <> with the same result. Don't quote me on this, but I believe that *.invalid works much the same.

          I'm not sure where your 320 character limit came from. So far as I'm aware any combination of <user-name>@<domain>.<tld> is valid, and <user-name> can contain any otherwise reserved characters so long as it is quoted.

          But sure, feed the fuckers really long garbage in the hope that it might break their suppositions about maximum length.


    5. Boo Radley

      Re: Annnnnnnd...

      Due to having a poor credit score I only paid cash for around 15 years. Then I got a credit card with a $300 limit, used it a lot each month, paid most of it each month, and the bank liked that. They kept raising my credit limit at regular intervals, and my credit score rose to the point that I easily qualified for a second card, then a thid one, each one with higher limits, which I started using for everything thing, including $3 purchases. I paid all of them off each month. Before I knew it I had a $20k limit on that first card, and my credit score had risen to the point that I easily qualified for a mortgage for the house I bought last year. All my cards have low balances, I still use them for nearly everything and pay 90% of the balance each month, so my interest is minimal. Long story short, by using those cards for virtually everything and paying them off like I do, I quickly took myself from a score of +/- 500 to +/- 800, and improved my life situation dramatically. So I can see why people use their cards for everything, if done the way I did it it can really pay off.

  4. alain williams Silver badge

    "consent fatigue"

    I am fatigued at all these corporations that assume that I consent to their slurping and sharing my data.

    The one that currently annoys me most is how many web sites have in them and do not ask if I consent to that. OK: my /etc/hosts maps that to but most people do not know how to do that.

    Oh: El Reg - you have googletagmanager ... when are you going to ask us if we want that ? To see how it should be done go to

    1. chivo243 Silver badge

      Re: "consent fatigue"

      Oh: El Reg - you have googletagmanager

      Perhaps, the parent Company is to blame? If I go there with my extensions enabled and the Pi-Hole removing garbage, this site doesn't load?!! I get the green circle chasing it's ass... Thanks NoScript!!

    2. el_oscuro

      Re: "consent fatigue"

      You know you can download a host file which blocks a lot more, correct?

      It's too bad I don't have a way of editing /etc/hosts on my phone.

      You can also of course use a Pi-Hole and set that to your DNS server. Works for phones too, but only when they are connected to your wi-fi.

      1. chivo243 Silver badge

        Re: "consent fatigue"

        Until recently you are correct. But I just saw this on the Pi-Hole website yesterday...

        4. Block ads everywhere, even on the go

        By pairing your Pi-hole with a VPN, you can have ad blocking on your cellular devices, helping with limited bandwidth data plans.

        PI-HOLE + VPN

  5. Roland6 Silver badge

    Suspect Home Depot aren't the only one's...

    >"Home Depot forwards the customer's hashed email address and offline purchase details to Meta when the customer provides their email address to Home Depot, at checkout, to obtain an e-receipt."

    Probably need to do some research, but would not be surprised if this mode of operation is normal amount those high street stores that provide e-receipts if you supply an email address...

    Just off the top of my head: Screwfix, B&Q, Dunelm, Toolstation, PCWorld, ...

    1. nematoad Silver badge

      Re: Suspect Home Depot aren't the only one's...

      Halfords do it as well.

    2. fidodogbreath Silver badge

      Re: Suspect Home Depot aren't the only one's...

      It is absolutely common.

      Thousands of Companies Send Your Data to Facebook Without Your Knowledge

      1. captain veg Silver badge

        Re: Suspect Home Depot aren't the only one's...

        I think that this deserves the response "fuck me".

        To be clear, that is not an invitation to Facebook.


  6. Nightkiller

    Everything is Data Slurping.

    Home Depot asking if you want an email receipt implies permission to use the email address.

    Swiping your Corporate Points Card is Data Slurping.

    They pay you very little in "Rewards" for the data you give them.

    1. Anonymous Coward
      Anonymous Coward

      Yes, and exactly that "implied" is what is illegal here in Europe under GDPR. You can't bury it under the TB of Terms you normally have to agree to just to boil water these days (although I just filled out a 86 page contract bundle which needed 10 signatures and about 25 pages initialled which tried to do just that too, so the contracting entity is now facing some interesting questions).

    2. Roland6 Silver badge

      > Home Depot asking if you want an email receipt implies permission to use the email address.

      The majority of the public will take that to mean the email address will be used for the sole purpose of sending you an e-receipt.

      I’m not sure if “use to send offers and marketing materials” really covers both the handing over to FB and FB’s usage of the email address.

  7. chivo243 Silver badge


    "We have no intention of reintroducing the tool at this time... We have a much better tool in the pipe!

    1. Flocke Kroes Silver badge

      Re: next generation tool

      The big change they are working on is a new name so it does not identify itself as a criminal activity.

    2. doublelayer Silver badge

      Re: Really?

      Alternate translation:

      "We have no intention of reintroducing the tool at this time... because we didn't stop using it. We just sent a message to Facebook telling them they forgot to hide that from the big download all this random crap about you button."

  8. xyz123 Bronze badge

    Doesn't even get into how both the iOS and Facebook apps use exploits to turn your mic and camera on WITHOUT notifying you.

    Then recording the audio AND video, which is illegally pumped to Facebook (Outside the US and EU where it can't be the subject of data laws) for later analysis.

    Cambridge Analytica was just the tip of a very nasty Big brother network, and now the FB app spies on users 24/7.

    1. Anonymous Coward
      Anonymous Coward


      A third party app cannot access mic or camera on iOS or MacOS without it showing an orange or green dot respectively near the top of the screen.

      1. DS999 Silver badge

        Re: Nope

        A third party app cannot access mic or camera

        The same is true for Apple's apps, if you open the camera app the little green dot appears just like it does for third party apps.

        Now someone may point out "what about stuff like Pegasus" and sure if something built with the resources of a nation state p0wns the entire device down to the microkernel level then all bets are off. But Facebook isn't going to be doing stuff like that, because something that bad would be the first time that the government does something more than hauling CEOs before congress to testify for political posturing. Much, much more.

        1. Anonymous Coward
          Anonymous Coward

          Re: Nope

          Yes, but what happens if they open the camera?

          As an aside the camera module in a brand name computer that we supplied some components for, had the LED directly across the chip power. If the camera chip was powered, the LED was on.

          The prototypes had a plastic shutter you could slide across which was even better, but never made it into the production units.

          The next generation returned to firmware controlled LED on a port pin, so the camera could be used for facial unlock, without the camera appearing to be on all the time. i.e. the camera on led meant whatever you wanted it to mean.

          1. DS999 Silver badge

            Re: Nope

            Yes, but what happens if they open the camera?

            Who is "they"? The Facebook app can't open the camera unless you give it permission to do so. The end user can sure, but the Facebook app can't access what the camera is seeing or any pictures you might take without, again, permission to do so.

            Physical shutters sound great in theory but that's something that can break, or get grit on and scratch the lens, adds weight and thickness, etc. A better alternative for those who feeel that's important would be to buy some sort of privacy protecting case that has physical shutters built in. If there isn't such a thing then I guess that's a market opportunity for you - though if there really isn't one out there then I'd take that as an indication of the minuscule size of the potential market.

      2. captain veg Silver badge

        Re: Nope



  9. TVC

    Don't tell 'em Pike

  10. DS999 Silver badge

    Laziness and impatience saves the day

    It wastes time telling the checkout person (not just at Home Depot, but everyone who asks) my email address so I always refuse. Now I have a very good reason aside from that to continue doing so!

    1. Doctor Evil

      Re: Laziness and impatience saves the day

      Came here to say the same thing; upvoted you instead. Have one of these on me (maybe a Big Rock Trad?)

  11. Gene Cash Silver badge

    Inconsistant story

    So first Home Depot "incorrectly advised that they had not shared his information with Meta." then Home Depot also referenced "consent fatigue" as a rationale for why, at the time the customer requested an e-receipt, it did not notify them of its practices

    It's one or the other.

    Plus they stopped, so it's resolved. So now I can rob banks, but if I promise to stop, then it's "resolved" and no longer a problem?

    Where the hell is the fine?

  12. Theyank88

    Home depot needs to chill it.... People in my house cannot order or shop on home depot website without everyone in the house being completely bombarded with ads for those products. It is annoying and creepy. When can I see what exactly is being shared about me and how??? How can I monitor this for misuse?

    1. chivo243 Silver badge
      Thumb Up

      I stopped going down the rabbit hole trying to find what is actually being shared. Block the slurp! Set up a Pi-Hole , use something besides MS Edge or Chrome, use browser extensions, Ghostery, NoScript, uBlock Origin to name a few. This data slurp is on par with a war... it won't stop because you say chill. It's like telling a charging, angry dog to sit...

  13. Anonymous Coward
    Anonymous Coward

    Waitrose Till Cameras

    No one asked my permission to video me when I went to pay for my shopping.

    The first thing I noticed was the flicker just above my head, of course I look up and bingo picture perfect insta moment caught on camera.

    No warning, no explanation just a nice video perfect for facial recognition and they didn’t need to ask and of course linked perfectly to my credit card.

    That is GDPR in action in the UK.

  14. sinsi


    "Home Depot forwards the customer's hashed email address and offline purchase details to Meta...Meta then matches the email to the customer's Facebook account."

    How can they "unhash" a hashed email address? Isn't hashing one way?

    1. Scoured Frisbee

      Re: Unhash?

      Presumably FB already knows the address because Bob (or someone else) told them about it, and they just store the hash with the user profile. They can then match the Home Depot hash with what they calculated earlier.

      It is mostly true that the hashes will turn out to be unique, but someone intercepting them probably can't easily reverse to the email addresses.

      1. Falmari Silver badge

        Facebook shadow profiles

        Of course there is nothing stopping Facebook creating a hash table of non Facebook Users email addresses collected from Facebook users address books. Allowing Facebook to know what their users friends bought at Home Depot.

        Another piece of data Facebook can add to those shadow profiles it keeps.

    2. doublelayer Silver badge

      Re: Unhash?

      Hashing is one way, but every time they hash an email address, it will match anyone else hashing that email. They have two options. They could hash every email address when it comes in and just store a database of emails and hashes. Or if they didn't do that, they can go to their big box of email addresses and hash each one to see if it matches.

      Hashing is useful in the case of passwords because there are so many possible passwords out there. If I had a list of hashes and knew that all of them were from an initial set of a million possibilities, they would cease to be useful. That's why hashing a common or weak password doesn't prevent it from being insecure.

    3. sinsi

      Re: Unhash?

      OK, I thought that a hashing algorithm was a "roll your own" bit of code, but there are (apparently) only 7 approved ones, so it would be trivial for Facebook to store someone's email address 7 times as a hash and then compare the Home Depot hash, or even compare on the fly.

      1. doublelayer Silver badge

        Re: Unhash?

        There are a lot more than seven hashing algorithms, and you are capable of writing one of your own quite easily (though if you intend to use it for cryptographic purposes, think twice or ten times). If the goal was to have an internal representation that is opaque if leaked, anyone can write their own hash function to sort of do it, though a better way is to assign a random number instead.

        The reason Facebook has access is because Home Depot wants them to have access. They agreed on the hashing algorithm to use. Probably the point of using the hash instead of sending the address directly was to have something to say if any non-Facebook user protested about the sharing. Home Depot would say that Facebook was sent a value that, if they didn't have your address, wouldn't identify you. This is without considering that Facebook has lots of email addresses of people that don't have accounts that they could use if they were so inclined.

    4. el_oscuro

      Re: Unhash?

      It's trivial if an unsalted hash like MD5 is used. All FB needs to do is hash the emails and store the hashed value in the database. It is basically the same as sending it in clear text.

      $ echo | md5sum


    5. captain veg Silver badge

      Re: Unhash?



  15. ChoHag Silver badge

    Loyalty cards. Yes. THAT is the point where facebook's advertising model has gone "completely over the top". Everything up until this Home Depot debacle was honest and above board.

  16. Pirate Dave Silver badge


    Home Depot's partnership with Facebook is much more insidious than this. A few years ago, the wife and I were in the local Home Depot looking at kitchen sinks, something we had never done before (well, not since the rise of the Internet, at least). She had her iPhone in her purse, my Samsung was left out in the car. She at no time used her cellphone during our visit to HD, nor did we actually buy a sink. The next day, when she opened the Facebook app on her phone, she was immediate hit with Home Depot ads for kitchen sinks and faucets.

    Never forget, your eyeballs are Facebook's primary product.

  17. Anonymous Coward
    Anonymous Coward

    Connect Home Depot purchases to adverts

    Step 1: pay for a Meta advert along the lines of "you really ought to buy a Hammer, you can use it to commit crimes you know". Step 2: arrest every hammer purchaser if that advert happened to have been in their feed in the last month. Step 3: brag about having done a great job preventing crime in the area.

  18. Kevin McMurtrie Silver badge

    Spam, spam, spam

    They also have a frothing rabid customer retention department. You can try making an online purchase without spam, but the spam will flow. You can't opt-out either. I used California law to have my data removed.

    They eliminated ordering as "guest" so now I won't place any orders. How's that for customer retention?

  19. captain veg Silver badge

    just in case

    I expect that you already know this, but just in case...

    'Canada's Home Depot has stopped using Meta's "Offline Conversions" tool'

    In advertising, especially the online variety, a "conversion" is an action -- any action -- which resulted from someone seeing an ad. It could be a click-through on the ad itself. With tracking cookies it is more likely to be that you visited the advertiser's site -- or one syndicated to it -- at some point after the ad was delivered.

    The holy grail, of course, is conversion to an actual sale, but others are possible. A favourite of the advertising industry is "awareness". You saw an ad, and this affected your awareness of the advertised product.

    Home Depot sharing your freely disclosed email address allows Facebook to score a conversion of the most valuable kind. They (Facebook) showed you an ad, and then you bought something from Home Depot. If you are Home Depot then you probably hope that this sequence involved a Facebook ad for Home Depot, but it doesn't have to be so. No one really cares about causality just so long as the correlation is plausible.

    I work in the industry, and I say nuke them from a low orbit.


  20. M.V. Lipvig Silver badge

    Once again I'm ahead of the game

    I tell stores flat out that no, I'm not giving them an email. If my email is a requirement to check out (hasn't been yet) I have no problem not completing the transaction. Also make them print a receipt as I use paper receipts to reconcile my credit card statement. So far, no issues on that.

    Can't say my information isn't collected, but I make it hard to do and don't have a Faecesbook account so no help gor them there. The only goolge account I have is related to the phone, but as I don't use any google services that can put one to the other for generating ads, they're not making that money off me.

    Privacy - the odds may seem insurmountable, but fight the good fight anyway.

  21. Bitsminer Silver badge

    Just email address and list of items purchased? Meh.


    where the Privacy Commissioner investigated data slurping by Tim Horton's (a coffee and doughnut chain ubiquitous in Canada).

    the App identified where he lived and worked, when travelling more than 100 kilometers from his home, and noted when it believed he entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway. In addition to tracking the author’s location within Canada, the App also tracked his location while on vacation in Europe and northern Africa.

    I conclude Home Depot is less imaginative than Tim Hortons...../s

  22. Anonymous Coward
    Anonymous Coward

    It’s a game

    You have the cheese, they are the rat.

    Give them nothing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like