Data Protection Commissioner issues guidelines after e-receipt complaints

10 Nov 2017

Customers have sent complaints to the Data Protection Commissioner about e-receipts. Image: NIRUT RUPKHAM/Shutterstock

Many people have reported receiving unwanted marketing emails from retailers.

The Office of the Data Protection Commissioner (ODPC) has noted that the practice of issuing e-receipts is becoming far more common in Ireland, but there are some problems.

While customers can request a paper receipt only, there have been cases where people have given their email details and been signed up to marketing emails without proper consent.

A number of complaints were directed to the ODPC, and several audits of how organisations collect, process and store data in terms of e-receipts were carried out.

The DPC, Helen Dixon, said in a statement that a number of cases saw email addresses gathered ostensibly for the issuance of email receipts being used to subsequently disseminate marketing emails to customers.

Clarity for customers

The ODPC noted that the practice of issuing e-receipts is becoming far more common in Ireland. It said that the customers should be clearly advised at the point of sale that the email address is needed to provide them with an e-receipt.

“The DPC is advising retailers that where an e-mail address is collected for the purpose of sending an e-receipt, the customer should not subsequently receive marketing emails unless the retailer had flagged, and the customer consented to, this additional purpose at the outset.”

The statement also clarified that customers should be provided with a way to opt out of receiving marketing material at the point their email address is collected. There should be a prominent opt-out tick box beside the email address field for the customer.

The DPC said retailers must have an electronic record of customers who have or haven’t consented to receive marketing emails, as this will be asked for when any breach is being investigated.

Four key conditions

There are four key conditions that must be met to use customer details for direct marketing:

  • The product or service you are marketing is of a kind similar to that which you sold to the customer at the time you obtained their contact details
  • At the time you collected the details, you gave the customer the opportunity to object, in an easy manner and without charge, to their use for marketing purposes
  • Each time you send a marketing message, you give the customer the right to object to receipt of further messages
  • The sale of the product or service occurred not more than 12 months prior to the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronic marketing communication in that 12-month period

If a customer fails to unsubscribe using the cost-free means provided to them by the direct marketer, then he/she will be deemed to have “opted in” to the receipt of such emails for a 12-month period, from the date of issue to them of the most recent marketing email.

Fines for retailers

There is a risk of fines if retailers don’t comply, with each unsolicited email potentially attracting a penalty of up to €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 if the offender is a corporate body.

The DPC also said there needs to be a process for the retention and deletion of email addresses for the issuance of e-receipts.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects