Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

 Guidance for Retailers issuing e-receipts

 

The Data Protection Commissioner (DPC) has carried out a series of audits in order to assess how organisations gather and process personal data in the course of providing electronic receipts (e-receipts) to customers. In a number of cases it was found that e-mail addresses, gathered for the purpose of issuing e-receipts, were being used to subsequently issue marketing material. Following on from these audits, the DPC has produced the following guidance around the use of e-receipts to assist retailers adhere to best practice in this regard.
 
The practice of issuing e-receipts to customers is becoming more common in Ireland. An increasing number of retailers, at the point of purchase, are offering customers the option of receiving an e-receipt.  In order to receive an e-receipt, a customer must provide a valid email address to the retailer. A customer should be advised, at the point of purchase, that the reason that their email address is being requested is to provide them with an e-receipt.
 
The DPC is advising retailers that where an e-mail address is collected for the purpose of sending an e-receipt, the customer should not subsequently receive marketing e-mails unless the retailer had flagged, and the customer consented to, this additional purpose at the outset. Valid consent can be obtained in a number of ways. The rules are set out in Regulation 13(11) of SI 336 click here.
 
Customers should be provided, at the point of collection of their e-mail address, with the means to “opt-out” from receiving marketing material. This can be achieved by having an “opt-out” tick box prominently displayed beside the customer’s email address field. Retailers should have a means to electronically record whether a customer has agreed to receive marketing or not. In circumstances where the DPC is investigating an alleged breach of the rules on electronic marketing, the onus is on retailers to demonstrate that they had a subscriber's consent to send a marketing message.
Where contact details have been obtained in the context of the sale of a product or service, these details may only be used for direct marketing by electronic mail if the following conditions are met: 
 

 

1.      The product or service you are marketing is of a kind similar to that which you sold to the customer at the time you obtained their contact details.

 2.      At the time you collected the details, you gave the customer the opportunity to object, in an easy manner and without charge, to their use for marketing purposes.

 3.      Each time you send a marketing message, you give the customer the right to object to receipt of further messages.

 4.    The sale of the product or service occurred not more than twelve months prior to the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronic marketing communication in that twelve-month period.*

 

 *NOTE: If a customer fails to unsubscribe using the cost free means provided to them by the direct marketer, then he/she will be deemed to have remained “opted-in” to the receipt of such electronic mail for a twelve month period from the date of issue to them of the most recent marketing electronic mail.

  

Summary proceedings for an offence under S.I. 336 of 2011, may be brought and prosecuted by the Commissioner. Each unsolicited marketing email can attract a fine of up to €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 if the offender is a corporate body. 

Finally, where email addresses are gathered solely for the purpose of providing e-receipts, retailers should draw up a retention period for the retention and deletion of these e-mail addresses.