Retailers Issuing E-receipts may be in Breach of GDPR, Claims Which?

An investigation conducted by consumer body Which? has revealed several large retailers may be in breach of the European Union’s General Data Protection Regulation (GDPR) rules in how they issue e-receipts to their customers.

This investigation conducted by Which? discovered that there was marketing material being included in the e-receipts that were being issued by certain retailers. The retailers in question include Topshop, Clarks, Gap, New Look, Dorothy Perkins, Arcadia Group (Miss Selfridge, Outfit, Burton), Schuh, Mothercare, Halfords, Currys PC World and Nike. Mystery Shoppers were sent to these outlets by Which? to conduct research.

“A quarter (23%) of people we surveyed said they would prefer a digital receipt over a paper receipt,” Which? noted when revealing their findings from their research. “A similar proportion (24%) didn’t state a preference, suggesting that they didn’t mind either way. But four in 10 (39%) felt that there weren’t any benefits to them receiving a digital receipt, and 79% of people had at least one concern about e-receipts.”

Each retailer was visited a minimum of three times during the course of the investigation. On each visit the mystery shoppers requested an e-receipt. However, they were also instructed to advise the retailer they did not give their permission for any additional marketing. After advising the retailer, E-receipts issued by Mothercare, Schuh, Halfords and Gap contained promotional marketing. “This indicates that the retailers may be breaking data protection rules”, Which? said.

The results revealed that none of the retailers sent any direct marketing emails to the customer once they had declined permission for this, with only one exception. However, the mystery shoppers noted that, in a number of instances, some marketing/advertising material such as promotional banners, requests to sign-up to newsletters and adverts for other products were included in the email that carried the e-receipt.

This could be interpreted as being noncompliant with GDPR, the data protection legislation introduced by the European Union on May 25 this year. Under this new legislation, it states that retailers are not permitted to issue direct marketing to a new customer by email unless the recipient has provided consent for them to do so. Additionally, an opt-out option must always be provided to the consumer.

In a statement issued by a representative of the United Kingdom’s Information Commissioner’s Office (ICO), it says that “retailers must understand it’s not enough to assume that because a customer has given their email address to receive an e-receipt that they are happy for it to be used for other purposes.

“Being transparent about the collection and use of data and giving customers informed choices over how their data will be used is key to ensuring compliance with the law and building trust. Anyone who has received an e-receipt email that includes direct marketing when they have specifically objected can complain to the organisation that sent it in the first instance, and if they remain unsatisfied they can complain to the ICO.”

HIPAA Violation Penalties

Most Common HIPAA Violations Causes