Which? Research Revealed Potential GDPR Breach by Retailers Issuing E-Receipts

The consumer group Which? recently conducted an investigation into the issuance of e-receipts to customers. Many large retailers ask for email addresses to send digital receipts to customers, but Which? was concerned that this may constitute a violation of the General Data Protection Regulation (GDPR). In the investigation, Which? sent mystery shoppers to retailers like Clarks, Currys PC World, Dorothy Perkins, Gap, Schuh, Topshop, New Look, Arcadia Group (Miss Selfridge, Outfit, Burton), Mothercare, Halfords and Nike. It was reported that the retailers were including marketing materials with the e-receipts being issued.

According to the research, a quarter (23%) of surveyed people would rather have a digital receipt instead of a paper receipt. About 24% didn’t have any preference. But 39% felt that receiving a digital receipt does not have any benefits and 79% said they had at least one issue with e-receipts.

The mystery shoppers visited each retailer at least three times. On every visit, they asked for an e-receipt but made certain that they did not give the retailer permission to send them additional marketing materials. Nevertheless, the e-receipts from Gap, Halfords, Mothercare and Schuh included promotional material. Hence, the retailers may be violating the rules on data protection.

The research revealed all but one retailer did not send out direct marketing emails because they did not get the permission to do so. However, according to the mystery shoppers, there were several instances when retailers included marketing/advertising materials in the emailed receipt. There were promotional banners, ads for other products, and invitations to sign up for newsletters.

Under the GDPR, which the European Union started enforcing on May 25, 2018, retailers cannot email marketing materials to new customers except if the recipient has given permission to do so. An opt out option should always be presented to the buyer.

A United Kingdom’s Information Commissioner’s Office representative said in a statement that retailers should realize they cannot assume a customer would like to receive marketing information just because they gave their email address to get the e-receipt.

Transparency in the collection and use of information and making sure that customers are informed regarding how their data will be used is crucial to complying with the law and developing trust. In the case of receiving an e-receipt email with direct marketing, despite specifically not giving consent, a complaint can be sent to the organization in the first instance. If nothing happens, a complaint may be sent to the ICO.

To be GDPR compliant, retailers should make sure that they only send promotional material to their customers if the customers has given their clear and informed consent. In addition, the retailers should include an opt out option for customers to allow them to exercise their right to stop receiving emails.