The Data Protection Commissioner (DPC) recently rereleased guidance on the increasingly popular use of eReceipts by organisations. When used correctly they can be a convenient means by which a record of payment for a product or service can be provided. However, when misused, they can annoy customers, breach ePrivacy regulations and leave organisations open to fines, loss of reputation and diminished goodwill. In this article we will look at the practical steps organisations can take to ensure the technology is used correctly, the regulations that govern their use, and the stated preferences of the DPC.
The logic behind using eReceipts:
Organisations can use eReceipts to offer customers an emailed copy of the receipt for a transaction. This replaces the printing of a paper version that can be easily lost or destroyed. As well as helping shoppers keep track of their spending, eReceipts may save time and money for businesses during the holiday season.
Gathering contact details of customers is a potential strategic advantage for a business. Email addresses can be a valuable resource for marketing purposes. However, this represents a secondary purpose for processing the email address (other than the provision of a receipt) and requires certain actions to be taken by the organisation before using the data for such a purpose.
Requirements of the GDPR and ePrivacy:
When the EU adopted the General Data Protection Regulation (GDPR) in 2016, it was intended that the ePrivacy Regulation would also be updated in time for both to become applicable in 2018. However, the update of the ePrivacy regulation of 2002 is still making its way through the difficult revision process and it will be sometime in 2020 at the earliest before it is approved.
Under the current Irish rules, (S.I. No 336/2011), direct marketing via email is possible under two different lawful bases:
- Where affirmative consent is gathered from the customer to receive marketing;
- Under legitimate interest, when relying on the existing relationship with a customer through them having already purchased goods or services, the organisation can communicate regarding similar good or services. This is sometimes called the ‘soft opt-in’.
If availing of the latter option, there are strict rules to permit this and these are clearly set out in the guidance from the DPC:
- A) The product or service being marketed is the organisation’s own product or service;
- B) The product or service being marketed is of a kind similar to that which has already been sold to the customer at the time their contact details were obtained;
- C) At the time the personal details were collected, the customer was given the opportunity to object, in an easy manner and without charge, to their use for marketing purposes;
- D) Each time a marketing message is sent, the customer is given the right to object to receipt of further messages; and
- E) The sale of the product or service occurred not more than twelve months prior to the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronic marketing communication in that twelve-month period.
However, the DPC prefers, as best practice, that marketing departments rely on an affirmative opt-in rather than a demonstration that a customer was informed and did not opt-out.
What this means for organisations:
Firstly, organisations should be transparent and upfront, informing the customer if they intend to use the email provided for the purpose of receiving an eReceipt, e.g., for additional marketing purposes (the ‘no surprises’ rule). This information must include the identity and details of the seller, details of the seller’s Data Protection Officer if they have one, the purpose and lawful basis of processing, retention periods and information on the customers’ rights to access their data, rectify errors and have their data erased. Such data can be also provided on the emailed receipt.
Secondly, organisations should ensure that the device used for collecting the email address also gives a clear option to (ideally) opt-in for such marketing purposes which should also be clearly explained (note: This would also allow the broader marketing of products or services than if ‘opt-out’ was being used).
Thirdly, organisations must make sure they can efficiently manage the recording of the giving (and any withdrawal) of consent, as well as all necessary information relating to the marketing purpose provided at the time consent was given. Remember – under GDPR Art 7.3 – the onus is on the organisation to be able to demonstrate compliance and it must be as easy as for the customer to withdraw consent as it was to give it. Do not underestimate the challenges that can be involved as well as the potential penalties for failing to manage consent correctly (up to 5,000 Euro for each marketing email incorrectly sent!).
Lastly, remember the giving of consent or the lack of any action to unsubscribe does not mean the right to market to a customer is perpetual. The DPC states that 12 months is an appropriate period after which time marketing should cease unless the relationship is renewed, or consent is again given.
If you need any assistance with reviewing your existing policies and procedures or designing a future move to eReceipts, please do not hesitate to contact one of our advisors who can assist with compliance.