Guidance for Retailers issuing E-Receipts
The Data Protection Commission (DPC) previously carried out a series of audits in order to assess how organisations gather and process personal data in the course of providing electronic receipts (‘e-receipts’) to customers. In a number of cases, email addresses gathered for the purpose of issuing e-receipts were subsequently used by retailers in order to issue marketing material. Following on from these audits, the DPC has produced guidance around the use of e-receipts to assist retailers adhere to best practice in this regard.
The practice of issuing e-receipts to customers is becoming more common in Ireland. An increasing number of retailers, at the point of purchase, are offering customers the option of receiving an e-receipt. In order to receive an e-receipt, a customer must provide a valid email address to the retailer. Customers should be advised, at the point of purchase, if the reason their email address is being requested is to provide them with an e-receipt, and it should be made clear to them that they are under no obligation to provide their email address so that they can be sent an e-receipt.
Separately, if an email address has been collected for the purpose of sending the e-receipt, and the retailer wants to use that address for sending marketing emails, the DPC is advising retailers that the customer should not subsequently receive marketing emails unless the retailer has informed the customer about this and has given the customer an opportunity to opt-out of receiving marketing emails. Retailers wishing to send marketing emails in this way must comply with the rules as set out in Regulation 13(11) of the ePrivacy Regulations (S.I. No. 336/2011) (‘the ePrivacy Regulations’).
Whilst many types of direct marketing require the affirmative consent of the customer (i.e. specifically opting-in) under Regulation 13 of the ePrivacy Regulations, retailers may be able to rely on Regulation 13(11) of the ePrivacy Regulations, which allows for direct marketing in the context of the sale of a product or a service, where certain conditions are met, and does not specifically require affirmative consent. The conditions retailers much meet to avail of Regulation 13(11) are the following:
- The product or service being marketed is your own product or service;
- The product or service you are marketing is of a kind similar to that which you sold to the customer at the time you obtained their contact details;
- At the time you collected the details, you gave the customer the opportunity to object, in an easy manner and without charge, to their use for marketing purposes;
- Each time you send a marketing message, you give the customer the right to object to receipt of further messages; and
- The sale of the product or service occurred not more than twelve months prior to the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronic marketing communication in that twelve-month period.*
Thus, customers should be provided at the point of collection of their email address, with the means to ‘opt-out’ from receiving marketing material. This can be achieved by having an ‘opt-out’ tick box prominently displayed beside the customer’s email address field. The customer should also be given an easy opportunity to opt-out of further marketing communications each time they are contacted for marketing purposes.
As a best practice solution, the DPC recommends that the electronic point of sale system should display two blank tick-boxes - the first being ticked if the customer wishes to receive an e-receipt; the second being ticked if the customer agrees to receiving marketing via e-mail. Such an approach gives the customer clarity and control over the use of their contact details and will record the affirmative wish of the customer.
Retailers should have a means record electronically whether a customer has been provided with all of the necessary information and opportunities to opt-out of direct marketing. In circumstances where the DPC is investigating an alleged breach of the rules on electronic marketing, the onus is on retailers to demonstrate that they have met their obligations before sending a marketing message.
Retailers should have regard to their obligations under the General Data Protection Regulation (GDPR), as well as under the specific rules regarding direct marketing contained within the ePrivacy Regulations.
*NOTE: If a customer fails to unsubscribe using the free means provided to them by the direct marketer, then they may be deemed to have remained “opted-in” to the receipt of such electronic mail for a twelve-month period from the date of issue to them of the most recent marketing electronic mail.
Summary proceedings for an offence under the ePrivacy Regulations, may be brought and prosecuted by the DPC. A person who commits an offence under this Regulation is liable on summary conviction to a fine of up to €5,000 for each unsolicited marketing email.
A person who commits an offence under this Regulation is liable, if convicted on indictment, in the case of a natural person to a fine not exceeding €50,000. A person who commits an offence under this Regulation is liable, if convicted on indictment, in the case of a body corporate, to a fine not exceeding €250,000.
Transparency and Accountability:
Data protection law requires retailers to process data transparently and to be accountable to both the customer whose data they process and to the Data Protection Commission.
The key to the transparent processing of personal data is the timely provision of information to customers whose data is processed about what is going to happen to their information. Where an email address is obtained from a customer, they must be provided with the following information at a minimum:
(a) The identity and contact details of the retailer
(b) The contact details of the data protection officer of that retailer, if they have one
(c) The purposes of the processing for which the email address is intended as well as the legal basis for processing it
(d) The retention period for which the email address will be stored
(e) The existence of their right to access and rectification or erasure of personal data