Does Home Depot Respect Customer Privacy?



Why does Home Depot need to capture my full date of birth, just to buy a product? I recently purchased a can of Plastic Wood and was stopped by the self-checkout assistant because the system wanted to verify I was over 18. Fine. I assume it has to do with preventing kids from sniffing glue, painting graffiti, or whatever. Even though I look well beyond such an age, I had to produce my driver’s license and the assistant verified my age then typed in the month, day, and year of my birthdate into the payment system. WHAT??? No thank you!

I am many decades beyond my teenage years. The gray hair and wrinkles tell that story. I instructed the associate to not use my real date of birth. She could put in a random day, month and year, but not my real birthdate. Begrudgingly, she voided the transaction and started again with different data.

This is an issue. Both the sales associate and customer were thrust into an unnecessary and uncomfortable situation because of poor foresight and a disrespect of privacy. The sales register software forced the input of a birthdate.

Full birthdates are private and strongly contribute to being able to personally identify an individual. They are used for all sorts of purposes, including by criminals as part of identity theft. I am not arguing the need to verify age for any legitimate purpose, like ensuring that only adults are purchasing certain products, rather I am concerned with the depth of data being gathered beyond what is needed. Why not just the year of birth or a confirmation that the age was checked and validated by the store associate?

This is a sad example of a company unnecessarily gathering too much private and personal information without a legitimate need.


As s Privacy Conscious Customer
I am offended that a retailer has the audacity to take and document my personal information. I don’t want my birthdate in their system or associated with my credit card. No, I don’t want a birthday card from Home Depot. I certainly don’t want it to be used for marketing purposes, to be sold, aggregated or even anonymized for corporate profit. I am at their store to purchase products, not become one of theirs.

Even if they do not use it for marketing purposes, as indicators for internal metrics, or resell it to 3rd parties for profit, that data can still be exposed to my detriment. Let’s not forget Home Depot already had a major data breach in 2014. There is no benefit when hackers gain access to my birthdate in addition to any other information they can siphon from a breach. I choose to protect my data and one important measure is to control who has it.

Home Depot needs to change. I would postulate that all merchants who are reckless or unnecessarily gathering private customer data need to change.

Do You Really Want Customer’s Sensitive Data?
Now that I realize Home Depot is capturing people’s dates of birth, I do have a few questions. Date of Birth is considered Personally Identifiable Information (PII) by the U.S. Department of Commerce National Institute of Standards and Technology (NIST) as it is used to uniquely identify someone. If Home Depot is going out of its way to capture such details, most of which do not matter (do you really need to know the day/month or even actual year of my birth if it is confirmed that I am well over 18 years old?), they should justify the reasoning, specify exactly what they will do with the information, if it will be shared with 3rd parties, and give people the ability to opt-out!

I want to know if that data is being protected exactly with the same PCI controls, where the data is being stored, is it being aggregated, who will have access, which corporate officer is the data owner (responsible for the data and held accountable), if the data and system have been exposed to unauthorized personnel, who in Home Depot and 3rd parties has access to the information, is there an oversight process to request and revoke internal/external access, what the official data retention timeline, how it is the data being destroyed, and if regular audits are in place to verify all this?

Details should be published to the public and maintained.

A Better Set of Practices
Instead, for the betterment of their customers and stockholders, I recommend Home Depot at a minimum:

  1. Acknowledge they are making a mistake and vow to correct it.
  2. Modify the verification process to simply have the trained sales associate look at the customer to determine if they are obviously over 18, otherwise check the ID and verify the age is indeed 18 or over. If not, then disallow and void the transaction.
  3. If entering the date-of-birth is only part of a built-in Point-of-Sale calculator, which will not be stored anywhere, then it is not necessary for use on people that are far older than 18. Sales associates should bypass it unless the dates are close to 18 years and they require assistance to do the math.
  4. Immediately purge all current birthdate data in their systems, that has been already gathered, related to product age verification.
  5. Update your corporate Privacy Policy to include the details for age verification (as it currently is missing)!
  6. By default, assume people will opt-out of giving their birthdates, but you can allow an opt-in feature if they want Home Depot to know for some service or benefit. But be clear it is an opt-in process.
  7. Don’t be ‘creepy’ in what data you collect, process, or share. This includes transaction data, video surveillance, online shopping, and the sharing with 3rd parties. Get customer and privacy professionals perspectives.
  8. Setup an internal privacy oversight counsel to review all software (web, Point-of-Sale, etc.), processes, and 3rd party agreements to minimize the collection of personal data, dictate security control requirements, restrict distribution of customer data, and be an advocacy for customer privacy.

If Home Depot is interested in being a leader in respecting the privacy of its customers, then I recommend the additional following steps:
Make a public declaration about the importance of privacy for their customers. Have executives talk about it to the media and during quarterly earnings calls
Train employees about the fundamentals of privacy, its value, and how they should advocate the privacy principles. Provide an internal process for employees to raise issues to the corporate privacy board when privacy practices do not follow the letter or spirit of the policy.
Maintain an updated Privacy policy document on the website. The last change, per the site, was in Feb 2018
Honor the “Do Not Track” web requests that are incorporated into browsers. Currently Home Depot ignores these signals from people who do not want to have their online activities tracked.
By default, assume all customers do not want to receive marketing emails, marketing calls, and marketing mails. Currently, customers must traverse their website to Opt-Out of these.

By default, assume customers do not want their private information shared with 3rd party business partners, affiliates, and marketing companies.
Stop collecting data about the customer’s systems (phones, PC’s, etc.), including online activities across devices.

Outline what technologies you are using to track users electronically. Your privacy policy states that even if a customer deletes and blocks cookies, some tracking will persist.
*To really show a desire to lead the industry in privacy responsibility, I suggest the following: Automatically, once a year, send out a notice to customers and detail what information has been collected, how it has been used, and catalog to which 3rd parties it has been shared. As part of this annual notice also indicate if any data has been exposed or stolen.

Internal Process Failures
The Home Depot Privacy policy does not state they will collect customer’s birthdates. They do indicate “We might also collect information like your age or gender.” Which is a little creepy, but age (normally measured in years) is different than a specific date of birth. This omission is an oversight to their privacy policy.
Given how Home Depot is handling privacy with customers, I will assume that Home Depot does not have a privacy review board for their applications, systems, or processes. If they do, then they are incompetent or ineffective. The first question any privacy oversight should ask, is what is the minimum amount of sensitive data that is required to be gathered to satisfy the legitimate purpose. In this case, verification of age 18 is the goal. With review by a sales associate, it should be good enough that they simply validate that the age of the customer is 18 or over. Like bartenders or retail sales of tobacco products, etc. If that is not sufficient, then simply the year of birth (or better yet the decade of birth for customers obviously well beyond their teenage years).

But Home Depot is not doing this, therefore I conclude they lack the proper internal processes to promote privacy practices.

Will Home Depot Change?
I experienced an unfortunate example of a company unnecessarily gathering too much private and personal information without a legitimate need. I could easily dismiss it or ignore it. But that is not how we, as a society, improve the trust in technology and reward those entities that are working hard to protect our security, privacy, and safety. So, I am raising the issue. Will anyone listen? Do you, as consumers, agree?

Let’s see if Home Depot responds and makes positive changes. I am posting to LinkedIn, copying their Chief Privacy Officer Stacey Keegan, will send this to their Privacy Official Customer Care team at CustomerCare@homedepot.com, and will post to Twitter, tagging Home Depot.

Customers and society have a voice. I encourage everyone to constructively raise privacy issues. It would be well served for retail organizations to listen. Trust is a competitive advantage.


Comments 1