E-receipts are becoming more common but what are you actually agreeing to when you hand over your email address? The Data Protection Commissioner ("DPC"), having received numerous complaints, carried out a series of audits to assess how organisations gather and process personal data in the course of providing e-receipts to customers. In a number of cases it was found that email addresses, gathered for the purpose of issuing e-receipts, were being used to subsequently issue marketing material.
Where an email address is collected for the sole purpose of sending an e-receipt, the customer should not subsequently receive marketing emails. The retailer must obtain the consent of the customer to be able to send on marketing information. Customers should also be given the option to receive just the e-receipt and be able to opt out of receiving related marketing emails.
As discussed in our article on consent, the onus will be on retailers to show that specific consent to receiving marketing messages was obtained. Guidelines have also issued from the DPC stating that, where an email address is obtained in the context of a receipt, these details may only be used for direct marketing by email if:
- The product or service marketed is of a kind similar to that which was sold to the customer at the time their contact details were obtained;
- The customer was given the opportunity to object, in an easy manner and without charge, to their use for marketing purposes;
- Each time a marketing message is sent, the customer has the right to object to receipt of further messages; and
- The sale of the product or service occurred not more than twelve months prior to the sending of the marketing email or, where applicable, the contact details were used for the sending of a marketing email in that twelve-month period.
If a customer fails to unsubscribe using the cost free means provided to them, then they will be deemed to have remained "opted-in" to the receipt of such mail for a twelve month period from the date of the most recent marketing electronic mail.
Retailers who are abusing this process may face summary proceedings for an offence under S.I. 336 of 2011, brought and prosecuted by the DPC. Each unsolicited marketing email can attract a fine of up to €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 if the offender is a corporate body.
The DPC has advised that where email addresses are gathered for e-receipts, retailers should have a policy in place addressing retention periods and deletion of this data.
Finally, retailers cannot insist on using e-receipts only and must continue to provide paper receipts if requested.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.