Your receipt by e-mail. Is this OK?

ReceiptI’ve noticed an upsurge in retailers asking me for my e-mail address, so they can send me a copy of my receipt. If that is all they are going to use it for, then that might be great because I will then have an electronic copy that I can keep and not have to worry about finding the printed receipt, which may have been mislaid or faded or put through a wash? ? So this is a good thing. Right?

This seems to have come from UK retailers that have set up in Ireland and they have been doing this for some time back in their homeland. It’s now a growing practice across the retail sphere. No matter what the person at the till says, you don’t have to give them your e-mail address, so if you don’t want to give it, they can take a long walk off a short plank. ? They are required to provide you with a printed/written receipt for your purchase at the time of the transaction.

This post came to mind after seeing a Tweet from Brian Honan (a well respected Irish InfoSec consultant).

This says two things to me:

  1. The staff member does not have an awareness of data protection requirements
  2. The retailer does not appear to be forthcoming with their data protection policies

Let’s take these in reverse order.

The retailer is capturing your personal data, ostensibly for the purpose of providing you a receipt. However, you have no idea of where they are storing this piece of personal data, who gets access to it or if they might use it for other purposes. This will not be allowed when the EU’s General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. They will need to inform you in clear, concise and simple terms what they are going to do with your e-mail address (and any other personal data they gather from you), where they will store it, who they will share it with, how long they will store it for, tell you how you can request a copy of it, request it to be changed, request it to be deleted and other rights which the GDPR grants to you. So there will be quite an onerous burden on the retailer.

In regards to the staff member, when the GDPR comes into force, personnel that have permanent or regular access to personal data will be required to undertake appropriate data protection training. That means any staff that handle your personal data should be able to answer any data privacy questions you have or at the very least have somebody on-hand to do so.

I’m aware of one Irish electrical appliance retailer that has asked for your mobile telephone number for many years now. They store this along with your name and address, which they print on the receipt for warranty purposes. For any future purchases, you do not need to give them your name and address for printing on the receipt, they just ask for your mobile number and the address pops straight up. Convenient – eh? They also use the mobile number to send out special offers or notices of sales events by text message. In fairness they will immediately cease doing if you text them back the word STOP.

There is also a take-away that I am familiar with which, if you ring them by mobile to place an order, they will then send you a monthly text about specials for that month. They do honour the STOP request, but if you ring them again, your number goes back on the monthly text list. This action is in breach of legislation, as at no time are you notified that your number is being taken and used for these purposes and also for re-subscribing you to the text message.

I titled this post “Your receipt by e-mail. Is this OK?” and combining the e-mail address and mobile number scenarios above, I put it to you that you may be giving away more than you realise. You are giving the retailers a way of profiling your purchases – in a similar way to store loyalty cards, but it is a bit more insidious as it is not being made entirely clear to you at the time of purchase. They can tie your mobile number to what you purchased on that day and if they notice, for example, you are purchasing kettles on a regular basis, they might discern that you are in a hard water area and try to sell you water treatment solutions. This is probably the real reason they want to gather your e-mail address/mobile number … so they can generate sales leads. ?

When the GDPR comes into effect, this kind of carry on by retailers will be more stringently controlled. However, in the meantime I would suggest if you are asked for your e-mail address you should ask to see their privacy statement and if they don’t know what you are talking about, just smile, get your receipt from the till, say thank you and leave. ?