Information Commissioner's Office
“Would you like us to email you a receipt?”
Blog posted by: Garreth Cameron, Group manager for Business and Industry, November 23, 2016.
On the surface it’s a simple question increasingly being asked by high street retailers. But sometimes this simple question doesn’t tell the full story.
An e-receipt can be more convenient at times, but it is also a way for shops to collect personal data about their customers and send them marketing.
In the run up to the busy Christmas season, the ICO is reminding retailers that people have the right to know what happens to their personal data. Retailers need to be aware of the obligations under data protection and privacy laws.
Here are the key questions you need to be asking before you start to collect information.
What are you telling customers?
Retailers must understand it’s not enough to assume that because a customer has given their email address to receive an e-receipt that they are happy for it to be used for other purposes. Being transparent about the collection and use of data and giving customers informed choices over how their data will be used is key to ensuring compliance with the law and building trust.
“We’ve started emailing receipts as it’s better for the environment. Would you like to give us your email address?”
“Are you sure you don’t want your receipt by email as you may lose the paper version?”
“We don’t do paper receipts anymore so if you want a receipt you need to give us your email address”
These are the type of statements that have been heard at tills in a range of stores – none of which suggest that an email address and purchase details will be used for anything more than providing a receipt.
Whenever customer information is collected there must be a clear explanation given of how their information will be used. Our Privacy notices, transparency and control code of practice provides more detailed information.
Have you got consent to send marketing?
If email addresses are to be used to send electronic marketing then the Privacy and Electronic Communications Regulations (PECR) must be complied with. In most cases specific consent will be needed from the customer agreeing to marketing. For consent to be valid it must be knowingly and freely given, clear and specific. It must cover both the particular organisation in question and the type of communication to be used. It must also involve some form of positive action – for example by the customer clearly agreeing that they want to receive marketing. Customers should also be able to easily withdraw their consent. In the event problems arise retailers will need to be able to clearly demonstrate exactly what an individual has consented to, how that consent was obtained and when.
Thinking of selling the data?
If the information collected is to be shared or sold to other organisations for marketing purposes then the customer’s consent for this will also be needed, and they must be made aware of the companies their information will be shared with. These rules apply to both online and high street retailers, and there is further detailed information in the ICO’s Direct marketing guidance.
Are staff fully trained?
Staff play a key role, and they should be fully trained so they can clearly explain to every customer exactly what their email address will be used for. It’s up to retailers to provide this training, and ensure that customers are being told the right information at the right time. When it comes to the ICO taking enforcement action it’s the retailer that will be punished if staff get it wrong.
Have you considered security?
Consideration will also need to be given to the security of this data, where it is stored, who has access to it, and how long it will be kept for. Our comprehensive guide to the Data Protection Act provides further guidance on how data should be handled.
Any customers who are not happy with the way their information has been collected or used can report their concerns to the ICO.
Latest News from
Information Commissioner's Office
ICO fines Vote Leave £40,000 for sending unlawful text messages20/03/2019 09:10:00
The Information Commissioner’s Office (ICO) has fined Vote Leave Limited £40,000 for sending out thousands of unsolicited text messages in the run up to the 2016 EU referendum.
A call for participation: Building the ICO’s auditing framework for Artificial Intelligence19/03/2019 16:10:00
Blog posted by: Simon McDougall, 18 March 2019.
Two Birmingham workers fined for data protection breaches19/03/2019 12:20:00
Employees could face a criminal prosecution if they access or share personal data without a valid reason, the Information Commissioner’s Office has warned.
ICO raids businesses in Brighton and Birmingham suspected of making millions of nuisance calls13/03/2019 09:10:00
The Information Commissioner’s Office (ICO) has searched two addresses as part of an investigation into businesses suspected of making live and automated nuisance calls.
International Conference of Information Commissioners 201912/03/2019 09:10:00
Elizabeth Denham's opening address given yesterday to the International Conference of Information Commissioners.
Blog: Adtech fact finding forum shows consensus on need for change08/03/2019 16:20:00
There’s a well-quoted line from Steve Jobs, that as Apple CEO he didn’t employ smart people to tell them what to do, but so that they could tell him what to do.
Blog: Why the right of access to patient data needn’t be a headache for GPs08/03/2019 13:20:00
Blog posted by: Jovian Smalley, Group Manager – Engagement (Public Services), 07 March 2019.
Organisations should be doing more to achieve privacy accountability06/03/2019 09:10:00
The Global Privacy Enforcement Network's (GPEN) annual intelligence gathering operation looked at how well organisations have implemented the core concepts of accountability into their own internal privacy policies and programmes.