Store allegedly violated purchasers' privacy rights by disclosing personal information to Meta
The British Columbia Supreme Court has allowed an application for certification relating to Home Depot’s alleged breaches of provincial privacy statutes but struck claims for unjust enrichment, contractual breach, and intrusion upon seclusion for being bound to fail.
The plaintiff in this case wanted to certify a class action on behalf of customers who gave their email addresses for the purpose of receiving transaction receipts when making purchases at stores of Home Depot of Canada Inc.
From October 2018 to October 2022, a customer shopping in person at a Home Depot store had the option of receiving their electronic receipt via email as long as they agreed to provide an email address. Home Depot kept a history of purchases made with a particular email address and information regarding those transactions.
Over the same period, Home Depot availed of Meta Platforms Inc.’s offline conversions tool in an effort to understand whether its advertising campaigns on Facebook led to in-store sales. To use this service, Home Depot gave Meta information about its customers via a secured transfer connection.
In this case, the plaintiff alleged that Home Depot breached the privacy rights of the proposed class members by collecting their personal information and disclosing it to Meta. Home Depot opposed certification and wanted to strike the pleadings.
In Hvitved v Home Depot of Canada Inc., 2025 BCSC 18, the Supreme Court of British Columbia issued a decision ruling that the proposed class definition would meet the requirement for certification under s. 4(1)(b) of BC’s Class Proceedings Act, 1996 if it would be reformulated to refer to those covered by the relevant provincial privacy legislation.
A class proceeding would be the preferable procedure in this case and would offer a fair, efficient, and manageable method of deciding the common issues and moving forward with the action, the court said.
The court held that the plaintiff met the requirements for a representative plaintiff since he was prepared to represent the class interests and was aware of the duties involved in the role. The court accepted that there was a detailed and thought-out litigation plan for advancing the proceedings and that the plaintiff’s counsel understood the complexities of the case.
The court found issues common to the class as a whole or to substantial subsets of the class, including the elements of a privacy breach, the steps taken by Home Depot to obtain consent, and the question of whether the court should interpret the relevant privacy policies to include Home Depot’s use of the purchase data.
Home Depot failed to identify significant differences in the nature and use of the customer information collected and shared that would require individual inquiries, the court found. If the facts of the case could establish a privacy breach, this would likely apply to the entire class or a significant part of it, the court said.
The plaintiff’s application properly framed as common issues the questions of whether Home Depot took affirmative or fraudulent steps to conceal its actions or should pay punitive damages considering the nature of its conduct, the court added.
