Which? Claims Retailers Issuing E-receipts may be in Breach of GDPR Legislation

Computer Laptop Hands Internet Typing Keyboard

Consumer body Which? has conducted an investigation that has revealed several large retailers may be in breach of the European Union’s General Data Protection Regulation (GDPR) rules in how they issue e-receipts to their customers.

The investigation that was conducted by Which? – included retailers such as Topshop, Clarks, Gap, New Look, Dorothy Perkins, Arcadia Group (Miss Selfridge, Outfit, Burton), Schuh, Mothercare, Halfords, Currys PC World and Nike – showed that there marketing material being included in the e-receipts that were being issued. Which? sent mystery shoppers to these outlets to conduct research.

Which? said that their research revealed that: “A quarter (23%) of people we surveyed said they would prefer a digital receipt over a paper receipt. A similar proportion (24%) didn’t state a preference, suggesting that they didn’t mind either way. But four in 10 (39%) felt that there weren’t any benefits to them receiving a digital receipt, and 79% of people had at least one concern about e-receipts.”

As part of the investigation each retailer was visited a minimum of three times. On each visit the mystery shoppers sought an e-receipt but ensured to advise the retailer they did not give permission for any additional marketing. E-receipts issued by Mothercare, Schuh, Halfords and Gap contained promotional marketing, “indicating that the retailers may be breaking data protection rules”, Which? said.

The results showed that, with a single exception, the retailers did not broadcast any direct marketing emails once the customer had declined permission for this. However, the mystery shoppers recorded a number of instances where some marketing/advertising material was included in the email that carried the e-receipt. Promotional banners, requests to sign-up to newsletters and adverts for other products were all recorded during the investigation.

Under GDPR, the data protection legislation introduced by the European Union on May 25 this year, retailers are not permitted to issue direct marketing to new customers by email unless the recipient has provided consent for them to do so. An opt-out option must always be provided to the consumer. You can read the full report from Which? here.

A representative of the United Kingdom’s Information Commissioner’s Office (ICO) issued a statement which said: “Retailers must understand it’s not enough to assume that because a customer has given their email address to receive an e-receipt that they are happy for it to be used for other purposes.

“Being transparent about the collection and use of data and giving customers informed choices over how their data will be used is key to ensuring compliance with the law and building trust. Anyone who has received an e-receipt email that includes direct marketing when they have specifically objected can complain to the organisation that sent it in the first instance, and if they remain unsatisfied they can complain to the ICO.”

In order to be compliant with GDPR, retailers must ensure that they only broadcast material to their customers that they (the customers) have given clear consent for. Additionally, they (the retailers) must also provide a simple opt-out option for any in receipt of their emails.