A few months ago I wrote about the importance of having well-defined internal processes so that companies can respond in a timely and appropriate manner when users request access to their data, exercise their deletion rights, etc. Together with the Privacy Notice, it’s one of the most visible aspects of a company’s privacy posture, and can often immediately show deficiencies in a privacy program. A lack of compliant responses can, of course, also result in enforcement actions. Getting this process right, regardless of your company stage, is one of the key areas I focus on with my clients.
This brings us to Home Depot. Last year I opened a Home Depot online account, and as a result, I started to receive both marketing emails and requests to review products I had purchased. All good - I signed up and agreed to this. I then used the same credit card at a physical store and started to get emails related to the products I purchased there too. How does Home Depot match my purchase to my credit card? It doesn’t take rocket science to figure out that the only common element is the credit card, and indeed many other businesses use this method of matching, for example, Square. I took a look at their Privacy Notice, however, and these were the permissible uses of payment card information:
Why Do We Collect and Disclose It?
Fulfilling orders and processing returns.
Communicating with you regarding payment status.
Collecting payments on behalf of our financial service providers.
Fraud prevention, security, and asset protection.
Nothing here about targeted email marketing or requesting product reviews - that’s odd. So, on July 25th I sent a CCPA ‘right to know’ request to Home Depot’s privacy email asking how this matching is working. On August 10th, they responded as follows (summarized):
“ We don’t have enough information to know what triggered our communication to you. These marketing communications, including targeted advertising, may be triggered by multiple factors.”
They also sent a canned response regarding how I can access my information - that’s not what I asked for. On August 11th I sent further clarifying questions and also pointed out the lack of any mention of this kind of processing in their Privacy Notice.
I responded several times with the usual threat to report this to the FTC and the CPPA, etc., and also reminded Hope Depot of the 45-day timeline to respond. More crickets, until finally, on October 13th, 81 days later, I received this response (summarized):
Under the MyAccount Terms and Conditions, we disclose that we will use your stored payment card information to identify your purchases in-store…… We do not store actual payment card information or link actual payment card information to your account. Instead, we use tokenized payment card information as an identifier, with the tokenization providing enhanced privacy and security.
Ok, thank you, but disclosing this information in your T&Cs vs. your Privacy Notice lacks transparency, and indeed conflicts with this Privacy Notice. Also, 81 days to respond is too long. Home Depot didn’t ask for a 45-day extension, so on paper, they were not in compliance with the CCPA. Some better training and better processes would have avoided these unclear and delayed answers. Do better!