Following a recent series of audits and inspections, the DPC became aware that many retailers who were issuing e-receipts were doing so in order to obtain e-mail addresses for marketing purposes. Unsolicited marketing emails can bring about fines for retailers ranging from €5,000 to €250,000.
Retailers that obtain customer email addresses for providing e-receipts must have a clear retention period in place for storing this information. After this period, the customer's email address should be deleted.
Any customer who provides their email address to a retailer must be informed as to the purpose or purposes of obtaining this information. If the retailer intends to send future marketing materials to the customer, the customer will have to provide consent for this additional purpose.
For customers that only want to receive an e-receipt, retailers should clearly provide an "opt-out" box for the customer to tick if they do not want to receive future marketing materials. This should be placed beside where the email address is given. The DPC has advised that retailers should have a means to electronically record whether a customer has agreed to receive marketing materials or not.
Further marketing emails can be sent to the customer in certain circumstances under what is known as the "customer exception" which sets out additional rules.
This guidance is a timely reminder for retailers as to the rules around usage of data generated by e-receipts. This is particularly important in the lead up to the implementation of the GDPR in May 2018. Retailers should be reviewing and rewriting their current practices and policies in relation to the issuing of e-receipts as part of their GDPR readiness plans.