Last month we talked about the Irish Data Protection Commissioner’s investigation into retail outlets issuing e-receipts. This investigation was launched because the Irish DPC had received a number of complaints from individuals who were receiving marketing emails after providing their email address in order to receive an e-receipt.
The practice of issuing e-receipts is becoming more common in Ireland and throughout Europe. This has led to the Irish DPC releasing some e-receipt guidelines for retailers and consumers so all parties involved know what is and is not acceptable.
The Irish DPC is advising retailers that where an email address is collected for the purpose of sending an e-receipt, the customer should not subsequently receive marketing emails unless the retailer has flagged this additional purpose at the outset and the customer consented to receive these emails.
Retailers must have an electronic record of customers who have or haven’t consented to receive marketing emails, as this will be asked for when any breach is being investigated.
The Irish DPC has also released four key conditions that must be met in order for a retailer to use customer details for direct marketing:
- The product or service is of a kind similar to that sold to the customer at the time their contact details were obtained.
- When these details were collected, the customer was given the opportunity to object to their use for marketing, in an easy manner and without charge.
- Each time a marketing message is sent, the customer must be given the right to object to receiving further messages.
- The details were collected within the previous 12 months, or the subscriber has received a marketing electronic mail within the previous 12 months and they have not unsubscribed using the cost-free means provided.
Retailers also risk being fined if they fail to comply, with each unsolicited marketing email attracting a fine of up to €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 if the offender is a corporate body. The Irish DPC also advises that, where email addresses are gathered solely for the purpose of providing e-receipts, retailers should draw up a retention period for the retention and deletion of these emails.
This news comes ahead of the General Data Protection Regulation (GDPR), which will apply in six months. If you haven’t begun or are in the middle of your GDPR compliance project, we recommend that you read November’s book of the month, EU General Data Protection (GDPR) – An Implementation and Compliance Guide.
- The GDPR in terms you can understand;
- The obligations of data controllers and processors;
- Guidance on the data protection officer role;
- What to do with international data transfers;
- Data subjects’ rights and consent; and
- Guidance on data protection impact assessments, including how, when and why to conduct one.