How the GDPR may impact your use of E-Receipts
This week we are looking at the recent flux in the use of e-receipts and the impact that the upcoming GDPR may have on this practice.
The issuing of said e-reciepts is hardly cause for concern as doing so shouldn’t land you in hot water with the Data Protection Commissioner (DPC).
Instead it is the further use of the data collected for marketing purposes that we will be focusing on.
An increasing number of retailers throughout Ireland have begun issuing e-reciepts in lieu of their traditional hardcopy alternatives.
The practice has been called into question by the DPC in light of the upcoming GDPR despite the apparent benefits to both the customer & retailer.
A recent audit carried out by the DPC found that, in a number of cases, e-mail addresses, gathered for the purpose of issuing e-reciepts, were being used to subsequently issue marketing material.
Using emails collected to populate marketing lists may help meet your KPIs, however, companies could be found in breach were the correct permissions not obtained.
Consumers must be informed, at point of purchase, of the specific reason for collecting their personal email. In most cases this may simply be to send an e-receipt for convenience sake. However, if the retailer intends on using the consumer’s personal data for further processing then they must ensure that the consumer is informed of this & actively consents to such processing.
Under GDPR consent is only considered to be valid if it is a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Consent can be given in a number of ways, such as a written statement, including by electronic means, or an oral statement. It is important for the retailer to retain a record of the consent as the onus will be on the business to demonstrate that consent has been received. Given the situation in which the interaction is likely to take place, consent may often be provided verbally. In such case the use of a double opt-in whereby the consumer is subsequently required to confirm that they have opt-ed in would be advised. This would provide a clear paper trail should the retailer be audited.
When using this practice to collect marketing opt-ins retailers must provide consumers with the option to opt-out without any fear of detriment. On top of this subjects must have the ability to withdraw consent without fear of the same i.e. withdrawing consent shouldn’t lead to any negative consequences or costs for the data subject involved.
The following has also been outlined by the DPC;
“Where contact details have been obtained in the context of the sale of a product or service, these details may only be used for direct marketing by electronic mail if the following conditions are met:
- The product or service you are marketing is of a kind similar to that which you sold to the customer at the time you obtained their contact details.
- At the time you collected the details, you gave the customer the opportunity to object, in an easy manner and without charge.
- Each time you send a marketing message, you give the customer the right to object to receipt of further messages.
- The sale of the product or service occurred not more than twelve months prior to the sending of the electronic marketing communication.”
So to summarize if you are thinking using emails collected for e-receipts for marketing purposes and you haven’t obtained explicit consent to do so, then think again!
If you would like any further assistance or guidance surrounding GDPR compliance feel free to contact us today at firstname.lastname@example.org or on +353 1 804 1298.