“Which?” magazine has claimed that a number of retailers are potentially breaching ePrivacy and data protection law when providing customers with email receipts. Its research revealed that 70% of consumers are 'generally mistrustful' of retailers when they provide their email address for the purposes of e-receipts.
“Which?” mystery shoppers visited 11 various high street retailers at least three times and requested an “e-receipt” (an email copy of a sales receipt) but added that they did not wish to receive marketing by email. Despite this, it is alleged, four of the retailers subsequently sent such marketing.
Although much business and consumer focus has recently been on the General Data Protection Regulation (GDPR), the operative law in this context is primarily a fifteen-year-old statutory instrument, which governs how e-marketing should be conducted. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) provide that one cannot send unsolicited electronic marketing to “individual subscribers” (which generally equates to private individual recipients, rather than business recipients) without consent, except where the sender has collected the recipient’s details in the context of a sale of, (or negotiations for the sale of) a product or service. However, when availing itself of this exception for existing or prospective customers, the sender must allow those customers a simple means of opting out of the marketing. A failure to respect this choice will be an infringement of the sender’s obligations under PECR and will expose the sender to possibility of regulatory sanctions by the Information Commissioner's Office (ICO), including the imposition of monetary penalty notices to a maximum of £500,000.
Guidance on direct marketing produced by the ICO makes clear that its definition includes "any messages which include some marketing elements, even if that is not their main purpose". This means that anyone sending e-receipts needs to ensure that they restrict their contents to what is strictly necessary, and to be aware that including extraneous marketing content potentially exposes them to legal, financial and reputational risk.
Mishcon de Reya's data protection experts have extensive experience in this area, and can advise both retail customers and private individuals on their obligations and rights under PECR and associated law.