NEWS12 December 2018

Retail e-receipts may breach data protection law

GDPR News Privacy Retail UK

UK – Retailers sending customers receipts by email may be in breach of data protection laws, according to research by consumer group Which?.

Data protection abstract image

Mystery shoppers were sent to 11 retail outlets, including Topshop, Mothercare and Nike, where they requested an e-receipt but told the retailer they did not want to receive additional marketing.

E-receipts sent out by Mothercare, Schuh, Halfords and Gap contained promotional marketing, "indicating that the retailers may be breaking data protection rules", Which? said.

Following the introduction of the General Data Protection Regulation (GDPR) earlier this year, companies must not send direct marketing to new customers unless the recipient has consented to the communication.

Retailers asking for an email address at the point of sale must give shoppers the chance to opt out, if they are planning to send marketing information.

While most of the shops in the research complied with data protection law, the e-receipts which did contain marketing "raise concerns that some retailers or their employees do not fully understand their obligations," Which? said.

The mystery shopping research was launched after Which? conducted a survey that found 70% of people were concerned about how retailers might use their data, with over half ( 59%) concerned that if they received an e-receipt, their email address may be shared with third parties.

Alex Neill, managing director of home products and services at Which?, said: "More and more shops are offering e-receipts, which can be convenient for shoppers, but our investigation suggests not all shops are aware of the law.

"Retailers must do everything possible to ensure shoppers can have confidence that they won’t be bombarded with unwanted marketing emails and that their personal details are safe."

A Halford’s spokesperson told Which?: "We take the privacy of our customers very seriously and would like to assure them that our e-receipts are compliant with the UK’s data protection law and conform to GDPR regulations. Our e-receipts do not contain any active promotion of products or services."

A Schuh spokesperson told Which?: "Following your feedback, we have now updated the communications you highlighted. We are committed to achieving full compliance in all our marketing communications."

Gap said it takes the privacy rights of its customers seriously and is investigating further. 

Mothercare told the Guardian: "We take the privacy rights of our customers very seriously and we are confident our e-receipts comply with data protection laws. We look forward to receiving Which’s findings so we can investigate fully."

Which? sent mystery shoppers to 11 retail outlets – Topshop, Clarks, Gap (including GAP Outlet), New Look, Dorothy Perkins, Arcadia Group (Miss Selfridge, Outfit, Burton), Schuh, Mothercare, Halfords, Currys PC World and Nike. Shoppers were asked to find out what data protection information was offered in-store and to examine the e-receipts they received. The shoppers visited each retail group a minimum of three times with a total of 34 visits.

The organisation surveyed 2,074 UK adults online between 19th-21st October regarding their attitude to e-receipts. The survey was conducted by Populus.