In Hvitved v. Home Depot of Canada Inc., 2025 BCSC 18, released on Jan. 7, Justice Peter Edelmann rejected arguments that the home improvement giant's customers had no reasonable expectation of privacy in the email addresses and purchase data shared with Meta, which owns social media platforms such as Facebook and Instagram.
“A reasonable expectation of privacy cannot be assessed on a piecemeal basis, looking at each element of data in isolation,” the judge wrote, noting that the plaintiff had alleged that Home Depot had sent the data to Meta for the purpose of it being correlated and connected to Meta profiles.
Between October 2018 and October 2022, Home Depot gave customers shopping in person at its stores the option of receiving their transaction receipt by email.
Home Depot shared some of this information with Meta, including a hashed string of characters encoding the customer's email address, the dates and times of their purchases and the sales dollar amount.
The retailer shared the data in order to use an offline conversions tool service provided by Meta that compares advertisements on Facebook with real-world outcomes such as in-store purchases.
The plaintiff, Lasse Hvitved, alleged that Home Depot breached various privacy statutes, common law duties and contractual obligations when it collected the relevant personal information and shared it with Meta, a third party.
He further alleged that Home Depot was also unjustly enriched as a result of the breaches.
Home Depot argued that it did not violate the relevant customers’ privacy as they had no reasonable expectation of privacy in the data shared with Meta.
It argued that the high-level information shared with Meta about each purchase, including the date, amount, and the general department of the purchase, are even less sensitive than what appears on the face of a tossed-out receipt.
The defendant submitted that this data would have been apparent to any members of the public who saw the customer making the in-store purchase.
Home Depot also argued that under case law there is no privacy interest in contact information like an email address.
Justice Edelmann held it was not evident that the data in question could have been compiled and used in the manner described by someone observing an in-store purchase.
“In particular, it is not clear that the email address would have been visible to a person observing the transaction,” the judge wrote.
He added that even if the court accepted the argument that there is a limited expectation of privacy in an email address on its own, the allegation was that the email address allowed information about in-store purchases to be connected to a Meta profile.
The judge noted that the plaintiff had pleaded that Home Depot’s customers had a reasonable expectation that their purchase data would not be compiled and shared with Meta to be used not only to generate marketing information for Home Depot but also for Meta’s own marketing purposes.
The court held that the plaintiff had sufficiently pleaded the violation of a reasonable expectation of privacy.
Justice Edelmann also found that the cause of action for a wilful violation of privacy had been sufficiently pleaded and that the allegations of wilful collection and subsequent sharing of personal information, along with false denials that such sharing took place, sufficiently set out an arguable case for punitive damages.
The plaintiff also pleaded that Home Depot breached the contracts customers entered into with Home Depot when they made purchases in a store.
He argued that an in-store purchase creates a contract between the customer and the seller and that at it was an express term of the contract that Home Depot would use the email addresses only to provide an electronic receipt.
The plaintiff further submitted that it was an express or implied term of the contract that Home Depot would be responsible for all the personal information of class members under its control and would take appropriate measures to ensure that personal information would not be disclosed to third parties without consent.
Home Depot submitted that the pleadings did not set out the nature of the contracts, whether they were oral or written, or even where one would find the express terms of the contract.
The court cited Lam v. Flo Health Inc., 2024 BCSC 391 in which the B.C. Supreme Court held that it is inappropriate to plead implied terms in the alternative as a safeguard if express terms are not found to exist.
Justice Edelmann found that the cause of action in contract had not been made out in pleadings.
With respect to the cause of action in unjust enrichment, the plaintiff had alleged that Home Depot was enriched by the economic value it obtained from providing the personal information to Meta and the class members suffered a corresponding deprivation of the opportunity to sell their personal information to Home Depot or Meta.
The plaintiff also submitted that there was no juristic reason for the enrichment.
Justice Edelmann noted that the plaintiff had not pleaded any material facts about the alleged opportunity to sell the data in question to Home Depot or Meta.
The court noted that counsel for the plaintiff had in oral submissions suggested that individuals are regularly provided opportunities to exchange the use of personal information for material benefits such as rebates, merchandise or services through loyalty card programs.
“However, there is no suggestion in the pleadings nor in the evidence before me that Home Depot or Meta were willing to pay class members for the use of the data at issue, whether through a loyalty card programme or some other mechanism,” the judge wrote.
The judge also observed that the pleading did not suggest a loss of opportunity to sell the data to any other party and that there was no evidence that Home Depot or Meta were willing to pay class members for the use of the data at issue.
The judge added that the economic value of the “opportunity to sell” the data would also be premised on the willingness of the individuals in question to sell.
He observed that in previous cases decided by the court that the loss suffered by individuals who would not have sold their data is non-pecuniary.
The judge held that a cause of action of unjust enrichment had not been made out on the pleadings.
“In conclusion, the plaintiff’s application for certification is allowed in relation to the alleged breaches of provincial privacy legislation. The other causes of action are struck,” the judge wrote.
The court certified the action as a class action on behalf of all residents of Canada who, from Jan. 1, 2018 to Oct. 31, 2022, made a purchase at a Home Depot store anywhere in Canada, excluding Quebec, and provided their email address for the purpose of receiving an electronic receipt.
Home Depot declined to comment on the decision.
“We value and respect our customers’ privacy and are committed to the responsible collection and use of information. We aren’t able to comment on ongoing litigation,” a Home Depot spokesperson told Law360 Canada.
Counsel for the parties were not immediately available for comment.
Counsel for the plaintiff were Chelsea Hermanson, Jamie Thornback and Brenna Krause (articled student) at Camp Fiorante Matthews Mogerman LLP.
Counsel for the defendant were Alexandra Cocks and Connor Bildfell of McCarthy Tétrault LLP.
If you have any information, story ideas, or news tips for Law360 Canada on business-related law and litigation, including class actions, please contact Karunjit Singh at karunjit.singh@lexisnexis.ca or 905-415-5859.