Major retailers may be breaking data protection rules with e-receipts, Which? reveals

Which? is concerned that retailers are breaching data protection laws, after a snapshot investigation found some of the biggest names on the high street were including unwanted marketing information in e-receipts sent to shoppers.

The consumer champion sent mystery shoppers to 11 retailers – Topshop, Clarks, Gap (including GAP Outlet), New Look, Dorothy Perkins, Arcadia Group (Miss Selfridge, Outfit, Burton), Schuh, Mothercare, Halfords, Currys PC World and Nike.

Each retail group was visited a minimum of three times and in each case the mystery shoppers requested an e-receipt but told the retailer they did not want to receive any additional marketing.

Retailers must not send direct marketing to new customers by email unless the person receiving the email has consented to receive it. If a retailer asks for an email address at the point of sale and plans to send marketing information, they must give shoppers the option to opt out.

E-receipts issued by Mothercare, Schuh, Halfords and Gap contained promotional marketing, indicating that the retailers may be breaking data protection rules.

One shop sent a marketing email with the e-receipt attached, while others included prompts to sign up for the store’s newsletter or invitations to complete a survey in return for money off a future purchase.

In one of the stores visited, the Which? mystery shopper was correctly told by a store worker that the retailer was not allowed to send marketing information if a customer opted out but then subsequently received an e-receipt which contained marketing.

The Which? investigation also identified some good practice. In all three Topshop stores visited, there were signs displayed at the tills which included information on how customer details would be used and a prompt to find out more on the website.

Which? would like to see this approach become more commonplace, so customers can make an informed decision before handing over their email address.

Although most shops in the investigation complied with the law, the e-receipts received by the mystery shoppers which did contain unwanted marketing raise concerns that some retailers or their employees do not fully understand their obligations.

Which? has concerns that retailers may act inconsistently when it comes to their electronic marketing and this could lead to consumers being bombarded with unwanted marketing messages in e-receipts.

The consumer champion launched its investigation after conducting a survey of more than 2,000 people, which found 70 per cent were concerned about how retailers might use their data.

Almost three in five (59%) were concerned that if they received an e-receipt their email address might be shared with third parties, and just over two in five (42%) were concerned e-receipts made it easier for companies to target them with personalised marketing.

Alex Neill, Which? Managing Director of Home Products and Services, said:

“More and more shops are offering e-receipts, which can be convenient for shoppers, but our investigation suggests not all shops are aware of the law.

“Retailers must do everything possible to ensure shoppers can have confidence that they won’t be bombarded with unwanted marketing emails and that their personal details are safe.”

Notes to editors:

  • Which? sent mystery shoppers to 11 retail outlets across the UK to find out what data protection information was offered in-store and to examine the e-receipts received for their purchases. The mystery shoppers visited each retail group a minimum of three times with a total of 34 visits.
  • Which? surveyed 2074 UK adults online between 19th and 21st October 2018 regarding their attitude to e-receipts. The data is weighted to be demographically representative of the UK population and was conducted by Populus.
  • Which? has undertaken the ‘Control, Alt or Delete’ policy project to explore the consumer data landscape and help improve understanding of how online data is being collected and used.
  • Read the Which? guide on personal data here:
  • A Halford’s spokesperson said: “We take the privacy of our customers very seriously and would like to assure them that our e-receipts are compliant with the UK’s data protection law and conform to GDPR regulations. Our e-receipts do not contain any active promotion of products or services. In addition, the Data Protection Commissioner, which is the statutory authority for Ireland and works to the same EU legislation, has also reviewed our e-receipts process without raising any concerns. Since this review, we now include a recruitment banner on our e-receipts, but we do not believe that this constitutes the direct marketing of products or services.”
  • A Schuh spokesperson said: “To ensure we fully comply with GDPR we are taking on-going advice from third parties. Following your feedback, we have now updated the communications you highlighted. We are committed to achieving full compliance in all our marketing communications.”
  • Gap told us that they take the privacy rights of their customers seriously and are investigating this further.
  • Mothercare is yet to respond.


Press Release