After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.

Under the GDPR:

  1. Businesses must ensure that an individual consents to the processing of their personal data by clear, affirmative action, establishing a: (a) freely given; (b) specific; (c) informed; and (d) unambiguous indication of agreement.
  2. Acquiescence (e.g., failing to un-tick a pre-ticked box) will not constitute consent.
  3. Businesses must be able to demonstrate that the individual consented and consent was freely given.
  4. A transaction cannot be conditional on consent that is not necessary to the transaction.
  5. Individuals must be able to withdraw their consent to the processing of their data at any time. It must be as easy to withdraw consent as it was to provide it.

Common retail practices that should be reviewed:

These common practices could place retailers at risk of a fine.

  1. At the cash register
    • Are staff in shops instructed to ask customers for personal data at the cash register?
    • How do they ask for it and how is it used?
    • Is it shared with a third party?
    • Staff must (a) make clear to customers that they can choose not to provide their information and (b) explain exactly what the data will be used for. The request must not be presented to the customer as if it is a condition of sale.
  2. Online
    • Is customers’ personal data retained and used after they place an order? Is it sold or shared with third parties?
      • How is customers’ consent to this obtained?
      • Are consent provisions hidden in ‘small print’?
    • Information required for consent must be clear, distinguishable from other matters, and provided in an intelligible and accessible form.
    • Are pre-ticked boxes or confusingly phrased boxes used to obtain customers’ consent?
      • Pre-ticked boxes will not be sufficient – failure to object is not consent.
  3. Withdrawal of consent
    • Customers have the right to withdraw consent at any time. Withdrawing consent must be (a) free and (b) as easy as it was to provide it.
    • All communications should contain a free ‘unsubscribe’ link, telephone number or email address. Many retailers breach this requirement when marketing by post.
  4. Targeted data lists
    • Are data lists used to contact potential customers?
    • Data lists will still be permissible after 25 May 2018, if consent has been validly obtained. The purchaser of the data is equally responsible for ensuring that valid consent is in place.
    • Were data lists purchased before 25 May 2018?
      • Do not continue to use lists unless you are satisfied that valid consent is in place.

Case Study:

A random review of ten unsolicited marketing catalogs received during September 2017 indicated the following:

  1. None advise the recipient where the sender obtained their data.
  2. Five make no mention whatsoever of how the customer can unsubscribe or opt out of future mailings.
  3. Of the five that do mention unsubscribing:
    • One invites the customer call a UK landline.
    • One invites the customer to subscribe to the Mail Preference Service (MPS); and
    • Three say in small letters “If undelivered or to unsubscribe, please return to…”.

Arguably, none of these comply with the GDPR’s requirements.

How should you approach marketing?

The GDPR does not have to hinder marketing campaigns. However, retailers should:

  1. Ensure that campaigns are permission-based;
  2. Ensure that it is clear to individuals how data will be used;
  3. Provide a simple, free way for customers to unsubscribe;
  4. Ask for consent to pass details to third parties, and name those third parties;
  5. Record when and where consent was obtained and what it covers; and
  6. Buy data lists from reputable sources and seek an audit trail showing that consent has been validly obtained.