Heading into the Christmas period, festive shoppers may notice an increasing number of retailers are offering receipts via email (e-receipts) rather than the traditional paper docket. Providing a receipt through email has a number of advantages for retailers and consumers. There is the obvious environmental benefit and it provides an easier means for customers to store and find receipts than an over-stuffed wallet.

However, new guidance from the Data Protection Commissioner (DPC) has stressed the need for retailers to ensure that when customers provide their details for the purpose of receiving e-receipts, they should be fully informed and consent to how that data may be used. Of central concern is the retailers’ use of email addresses for subsequent direct marketing.

Compiling a marketing database of previous customers is a potentially valuable asset to any retailer, but all retailers should ensure that any collection of customer data is fully compliant with their data protection obligations. A failure to do so could have damaging repercussions on brand reputation and lead to significant fines and criminal convictions.

The DPC has identified a number of key guidelines which must be adhered to if retailers wish to use customer details collected for the delivery of e-receipts, to subsequently issue marketing materials. These are as follows:

  • The product/service being marketed must be of a similar type to that which was sold to the customer;
  • At the time the details are collected, customers must be given a clear opportunity to opt out of receiving marketing material;
  • Each time a marketing email is sent, the customer should be given the right to object to receiving any further messages.
  • Any marketing email must be sent within 12 months of the purchase of the product/service. Alternatively, the marketing email must be sent within 12 months of the previous marketing email, where the customer has not unsubscribed within that period.
  • Retailers should keep an electronic record of whether a customer has opted to receive marketing emails or not. In circumstances where the DPC is investigating a breach of the rules on electronic marketing, the onus will be on the retailer to demonstrate they have received the customers consent.

The DPC highlighted that where email addresses are gathered solely for the purpose of providing e-receipts, retailers should draw up a retention period for the retention and deletion of these e-mail addresses.

It’s worth noting that each unsolicited marketing email can attract a fine of up to €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 if the offender is a corporate body.