What are retailers permitted to do with the email addresses and customer information sometimes handed over by shoppers at checkouts? Here, Charlotte Ebbutt and Malcolm Gregory from law firm Royds Withy King explain the rules.
There is an increasing trend for retailers to ask shoppers for their email addresses at the checkout so that they can send them a “receipt by email”. So, what can retailers do with this customer information?
The management of personal data by businesses is a hot topic. Data hacks will make the front pages of our newspapers, and can attract significant fines.
With the General Data Protection Regulation (GDPR) less than a year away, retailers need to be careful when collecting customer information, and pay particular attention to the management of that data.
Email addresses collected at the point of sale are considered personal data under current data protection regulations and under the GDPR. The rules state that data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
This means that if an email address is given for the purpose of receiving an e-receipt, it must only be used for that purpose. A retailer cannot then use that customer information for marketing or any other purpose. Once the receipt has been sent the email address should be deleted, as the regulations do not allow for the unnecessary storage of personal data.
If a retailer wishes to use email addresses gathered at the point of sale for subsequent direct marketing this must be “explicitly brought to the attention of the customer” and presented “clearly and separately from any other information”.
A customer’s consent must be “freely given, specific, informed and an unambiguous indication of their wishes”.
Retailers will profile customers in a number of ways, whether through the use of loyalty cards, online behavioural advertising or using CCTV to record in-store images of known individuals – all of which will fall under GDPR regulations.
Consent will be needed from individual customers if that profiling has a “legal effect”. Unhelpfully, these legal effects have yet to be defined, but we would expect loyalty schemes where special offers are made available to some but not all customers to fall under this label.
If there is no legal effect then retailers are free to profile, provided that they have told customers about this and given them the opportunity to object.
Retailers should also bear in mind that the potential changes to data capture language or customer facing documents won’t be the only consent they need to review. The data held on employees also falls into the new regulations.
Retailers will need to consider whether they are currently relying on express consent from employees to process employee personal data, and consider the alternative grounds which can be relied on instead.
Retailers need to ensure that they have implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively.
If they do not already have them, they need to put mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage, for example,through identity theft or confidentiality breach.
They also need to ensure that there are mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
The GDPR rules introduce mandatory data breach notifications to the ICO within 72 hours and in some cases to the data subjects too.
Retailers should consider how an actual breach will be handled. Different procedures might be in place if a complaint comes in via a customer service call or email than if the retailer discovered the breach internally through, say, its own IT system.
Either way, retailers should consider who else might need to be involved (insurers, PR agencies, other suppliers), and should raise awareness among all the workforce and train staff as to appropriate behaviour and procedures.
Retailers should also implement a joined-up approach across multinationals, as a breach may concern more than one jurisdiction. A review of training and internal policies is therefore essential to ensure that you are able to comply.
Failure to comply with the new rules is potentially harsh, with fines of up to €20m or four per cent of global turnover, whatever is larger. This is a significant increase from the current maximum of £500,000 under the Data Protection Act 1998.
Such a fine could have a significant impact on both large and small retailers, so non-compliance really is not worth the risk.
No matter the size of the business, it is likely that you will need to take some steps in order to ensure that you are prepared for the GDPR. The more complex the retail structure, the longer it will take to change processes and behaviours.
Charlotte Ebbutt is a solicitor in the technology and media team and Malcolm Gregory is a partner in the corporate services group at law firm Royds Withy King.
Sign up to our newsletter to get the latest from Business Advice.