Why It Matters that Home Depot Reportedly Gave Meta Shopper Data Without Consent
The digital marketing and retail industries have been locked in intense conversation over how to better protect consumer data. Among the consensus answers to this question has been that brands and retailers should focus on collecting zero- or first-party data because it comes directly from shoppers. But last week, Reuters and others reported that Home Depot gave customers’ information to the social network operator Meta without consent. The purpose of the data sharing was Meta’s “offline conversions” program.
Presumably, with that data, Meta can prove the effectiveness of ads on its platforms at driving shoppers into Home Depot stores. One can easily understand why receipts would be such an effective attribution tactic; they close the proverbial loop. (Home Depot stopped sharing the data in October.)
At first glance, this may appear to be just another incident of two corporate giants sharing consumer data without consent. But I think it imparts a broader lesson about the limitations of basing a data privacy strategy on the collection of first- or zero-party data. It also points to the higher bar brands and retailers must meet to craft truly privacy-safe practices.
Why zero- and first-party data aren’t privacy panaceas
Zero-party data is information that consumers willingly, actively, and knowingly provide to organizations. First-party data is information that companies collect as a result of their direct interactions with shoppers. For example, a survey response is zero-party data. First-party data would include a receipt; it’s data that comes from a direction shopper-brand interaction, but the shopper isn’t actively and knowingly handing data to a business. They think they’re just making a purchase.
The argument for zero- and first-party data as the foundation of data privacy strategy goes like this: The data is coming straight from the consumer. Ergo, the consumer has consented to give it to the business and likely knows the business is collecting it. There is no trickery here; the data collection is transparent and consensual.
But the Home Depot case illustrates the logical shortcomings of this argument. It’s great if brands and retailers get data directly from consumers; there is indeed a privacy advantage to this tactic over, say, third-party data passed around without consumers’ knowledge. But just because information was collected by a party with direct contact with the consumer doesn’t mean that organization can’t violate the consumer’s confidence or rights to privacy.
Collecting zero- or first-party data doesn’t mean the retailer has the consumer’s permission to share the data with any and all third parties. It doesn’t mean they can use the data for whatever purpose they choose. It doesn’t necessarily mean they can use it in perpetuity. None of those use cases would necessarily be transparent or respectful of the consumer. And that’s where Home Depot, like so many other organizations, appears to have gone wrong in this case.
The high bar for data privacy and why it’s so hard to meet
The standard response to this criticism of data privacy practices is that brands and retailers should do what I suggested above: get consumer consent not just to collect data but to share it with certain third parties, use it for a given period of time, and use it for specific purposes.
This is, in reality, extremely difficult for businesses to manage. Even if businesses were to use the many privacy and consent management platforms emerging to solve this problem, it’s unclear at best that consumers would take the time to tell each business exactly how the business can use their data. Ask five people how many times they’ve taken the time to impart this granular privacy preference information to businesses. Hardly anyone does.
So, the data privacy conversation has reached a sort of impasse. Privacy advocates expect businesses to get very granular consent from consumers, but common sense would indicate most consumers do not want to take the time to answer a detailed data privacy questionnaire. The result is the amorphous middle ground of unsatisfying cookie consent pop-ups — partial consent mindlessly given — that brands, retailers, tech platforms, and consumers largely occupy.