Zevin presses Home Depot on data privacy

Retail data privacy usually sounds abstract. But this fight is very concrete — cameras in parking lots, license plates in databases, and shareholders asking what happens next. The new wrinkle is that Zevin Asset Management is pressing Home Depot investors to back a proposal at the company’s May 21, 2026 annual meeting that would force the board to spell out the risks of sharing sensitive customer data with third parties. Home Depot’s board wants shareholders to vote no. ### What is the actual vote about? Item 8 on Home Depot’s 2026 proxy asks for a board report on risks to customers’ data privacy rights from sharing sensitive customer data with third parties, plus any steps the company uses beyond bare legal compliance to reduce those risks. This is not a demand to shut down a business line tomorrow. It is a demand for a formal, board-level accounting of exposure. The vote happens at Home Depot’s virtual annual meeting on May 21 at 9:00 a.m. (iccr.org) Eastern. ### Why are investors focused on Flock Safety? Because this is really about surveillance data moving farther than customers expect. Zevin’s campaign points to Home Depot’s use of Flock Safety, a vendor known for automated license plate reader cameras. The concern is that data gathered around stores can end up in large law-enforcement networks, including access paths that investors say have been used by federal immigration enforcement through local police partners. (iccr.org) That turns a normal retail-security tool into a civil-rights and reputational risk. ### Why does a board report matter? Basically, investors are saying privacy risk is not just an IT issue. It is a governance issue. If customer data sharing creates legal exposure, public backlash, or lost trust, that can hit the brand and the digital business at the same time. A board report also creates a paper trail — what directors knew, what they reviewed, and whether safeguards were strong enough. That is why proposals like this are framed around oversight, not just compliance checklists. (zevin.com) ### What is Home Depot’s argument against it? Home Depot says it already has oversight systems in place. In its proxy, the company says internal audit routinely reviews data protection, cybersecurity, privacy, and third-party risk management, with findings presented quarterly to the audit committee. So management’s position is that the company already monitors this area and does not need another public report. That is the heart of the disagreement — existing controls versus investor demands for more transparency. (iccr.org) ### Why is this landing now? Timing matters. Home Depot is heading into its annual meeting with a big operating story — fiscal 2025 sales of $164.7 billion, net earnings of $14.2 billion, and more than 2,300 stores — but also a growing argument that retail surveillance has become a shareholder issue. Zevin has been building this campaign for months, tying it to broader questions about worker safety, immigrant communities around store parking lots, and how much responsibility retailers have once vendor data enters outside systems. (ir.homedepot.com) ### Is this likely to change Home Depot overnight? Probably not. Most shareholder proposals are advisory, and even a strong vote would not automatically rewrite company policy the next day. But a meaningful level of support would still matter. It would tell Home Depot’s board that a slice of investors sees data-sharing and surveillance practices as financially relevant, not peripheral. And that can shape future disclosures, vendor reviews, and board oversight even without a binding mandate. (ir.homedepot.com) ### What is the bottom line? This is a test of whether investors now treat parking-lot surveillance the way they treat cyber risk — as something that can spill into brand damage, legal trouble, and strategy. Zevin is trying to make that shift explicit at Home Depot. If the proposal draws real support on May 21, the company may not have to change everything, but it will have a harder time treating data privacy as a side issue. (iccr.org)