23 November 2016
On the surface it’s a simple question increasingly being asked by high street retailers. But sometimes this simple question doesn’t tell the full story.
An e-receipt can be more convenient at times, but it is also a way for shops to collect personal data about their customers and send them marketing.
In the run up to the busy Christmas season, the ICO is reminding retailers that people have the right to know what happens to their personal data. Retailers need to be aware of the obligations under data protection and privacy laws.
Here are the key questions you need to be asking before you start to collect information.
What are you telling customers?
Retailers must understand it’s not enough to assume that because a customer has given their email address to receive an e-receipt that they are happy for it to be used for other purposes. Being transparent about the collection and use of data and giving customers informed choices over how their data will be used is key to ensuring compliance with the law and building trust.
“We’ve started emailing receipts as it’s better for the environment. Would you like to give us your email address?”
“Are you sure you don’t want your receipt by email as you may lose the paper version?”
“We don’t do paper receipts anymore so if you want a receipt you need to give us your email address”
These are the type of statements that have been heard at tills in a range of stores - none of which suggest that an email address and purchase details will be used for anything more than providing a receipt.
Whenever customer information is collected there must be a clear explanation given of how their information will be used. Our Privacy notices, transparency and control code of practice provides more detailed information.
Have you got consent to send marketing?
If email addresses are to be used to send electronic marketing then the Privacy and Electronic Communications Regulations (PECR) must be complied with. In most cases specific consent will be needed from the customer agreeing to marketing. For consent to be valid it must be knowingly and freely given, clear and specific. It must cover both the particular organisation in question and the type of communication to be used. It must also involve some form of positive action – for example by the customer clearly agreeing that they want to receive marketing. Customers should also be able to easily withdraw their consent. In the event problems arise retailers will need to be able to clearly demonstrate exactly what an individual has consented to, how that consent was obtained and when.
Thinking of selling the data?
If the information collected is to be shared or sold to other organisations for marketing purposes then the customer’s consent for this will also be needed, and they must be made aware of the companies their information will be shared with. These rules apply to both online and high street retailers, and there is further detailed information in the ICO’s Direct marketing guidance.
Are staff fully trained?
Staff play a key role, and they should be fully trained so they can clearly explain to every customer exactly what their email address will be used for. It’s up to retailers to provide this training, and ensure that customers are being told the right information at the right time. When it comes to the ICO taking enforcement action it’s the retailer that will be punished if staff get it wrong.
Have you considered security?
Consideration will also need to be given to the security of this data, where it is stored, who has access to it, and how long it will be kept for. Our comprehensive guide to the Data Protection Act provides further guidance on how data should be handled.
Any customers who are not happy with the way their information has been collected or used can report their concerns to the ICO.
Garreth Cameron is a group manager in our Strategic Liason department. His team focuses on the business and industry sector.