Black Friday is upon us once again and retailers have been gearing up for an increased flurry of sales. In recent years a practice has evolved of retailers offering customers the option to receive an electronic receipt at the check-out rather than handing the traditional paper receipt.

Given that e-receipts are issued by email, some retailers spotted an opportunity here to build up a valuable database and use their customers’ email addresses not only to issue e-receipts but also for the purpose of sending marketing materials and promote their business.

However, where a customer provides their email address for an e-receipt, this does not mean that they are agreeing to receive marketing communications.

Back in June 2019, the Data Protection Commission (DPC) issued an updated version of its initial guidance to retailers on the issue following a series of audits. The guidance outlines what the best practice is for retailers in terms of data protection when using e-receipts.

We set out below the key points retailers and consumers should be aware of.

Make sure that the customer is made aware at the time their email address is collected that the address will be used to send them an e-receipt as well as marketing emails. It should be made clear that the customer is not under an obligation to provide their email and that they can opt-out of receiving marketing emails at any time.

The DPC guidance makes it clear that customers must be provided with the following information at a minimum:

  1. The identity and contact details of the retailer;
  2. The contact details of the data protection officer of that retailer, if they have one;
  3. The purposes of the processing for which the email address is intended as well as the legal basis for processing it;
  4. The duration of time for which the email address will be stored; and
  5. The existence of the customer’s right to access and rectification or erasure of their personal data.

When a customer has agreed to give their email address, the ePrivacy Regulations will apply to any emails sent to such address.

If retailers intend to gather email addresses for the purpose of e-receipts and at the same time use that email address for marketing purposes, retailers should provide customers with two separate blank tick boxes to enable the customer to indicate whether they wish to receive an e-receipt and/or they agree to receiving marketing emails.

Often in practice, a customer will simply be asked at the check-out counter if they would like to receive e-receipts. Where a customer says yes, this is not an open door for the retailer to also send that customer marketing materials to that email address. The customer should be given the opportunity to opt out.

Subsequently, every time a marketing email is sent to a customer who ticked the relevant box, such email should give the customer the opportunity to unsubscribe from the retailer’s marketing email list.

To comply with their accountability obligations under the GDPR, retailers must be able to demonstrate compliance with the law. They should also keep records of the email addresses collected and the customer’s choices regarding the receiving of an e-receipt and/or marketing communications.

Whilst many types of direct marketing require the affirmative consent of the customer (i.e. specifically opting-in) under Regulation 13 of the ePrivacy Regulations, retailers may be able to rely on Regulation 13(11) of the ePrivacy Regulations, known as the “soft opt-in” exception. Under such exception, a retailer can send unsolicited marketing communications by email without the customer’s consent if:

  • the product or service being marketed is their own;
  • they are marketing similar products or services to that originally purchased;
  • the customer has been given a clear and free opportunity to opt out; and
  • the marketing communication is sent within 12 months of the purchase of the product or service or within 12 months of the last marketing email.

Here again, the customer should be given control over the emails they receive and a means to unsubscribe from marketing emails should be included in such emails.

Last but not least, retailers and consumers should be aware of proposed amendments to the ePrivacy Regulations. It was originally anticipated that a European-wide ePrivacy Regulation would be introduced at the same time as the introduction of the GDPR to replace the existing regime under the ePrivacy Directive, however, agreement has not yet been reached on the draft Regulation and the exact text and timeline for adoption of the Regulation is still being developed.