Are you a retailer and creating new contracts with customers at POS?
Data capture is at the heart of everything we do. The announcement of new General Data Protection Regulations allowed us to review how we capture that information and how we use it.
We know that many businesses are still unsure about the impact of GDPR, and how best to approach the subject. As a result, we put together a list of tips centered around best practice for full compliance with the regulations.
Contract as legal ground
One of the legal grounds for processing the data of customers is the performance of a contract. Here are a few helpful scenarios that we illustrated for you with a legal analysis of each situation.
Example 1. Customer enters a membership contract by giving their name and phone number to the cashier to become a member
This is a common scenario. The customer simply offers a form of identifier verbally. The cashier will key in this information into the Point of Sale computer system. Please note the legal terms and conditions are available in a folder facing the customer.
Is there a contract now between the customer and the company?
Legal analysis according to GDPR:
A verbal contract has been entered but there is a risk with relying solely on verbal confirmation. The main concern is that there is no proof of this person accepting the terms and conditions, nor is there proof that the store staff provide the correct information. In this case it is difficult to prove that the processing of information is due to the performance of a contract. In the event of a compliance investigation or legal cause, there is a big risk that the retailer lack the requirements of GDPR and becomes subject to high fines.
Example 2. After passing the phone number the customer accepts the terms and conditions verbally
This scenario would take the previous example one step further. After passing personal information we ask the customer if they accept the terms and conditions of the contract. Please note the legal terms and conditions are still available in a folder facing the customer.
Is there a contract now between the customer and the company?
Legal analysis according to GDPR:
Also this depends on how risky you want to be. The main problem is the same as the example above and how can the retailer can prove that the information was given by the customer and not gained by other means. If you save the surveillance camera footage and you have audio recording so you can hear what was said, you will have a stronger case proving that the customer was informed, but there may be other problems with saving surveillance footage for a longer period of time.
Example 3. Customer confirms the terms and conditions via SMS
Right after the customer passed the personal information they will receive a SMS message. Once they send Yes to the SMS, they have confirmed the terms and conditions. They can click on the link to access the complete terms and conditions.
Is there a contract now between the customer and the company?
Legal analysis according to GDPR:
A contract can be entered by writing as well as by electronic means. As a result, the confirmation of the terms and conditions via text is a written confirmation of the contract. This also helps to prove what was agreed.
There is always a risk that you provided someone elses mobile phone number and that someone else replied Yes. In this case, the retailer has not entered the contract with the right person. Then you process for the performance of a contract but just the wrong person, which in some cases probably would be seen as excusable in a proceeding.
Example 4. Customer receives second reminder via SMS
The customer did not respond to the Previous SMS and receives a reminder to accept the terms and conditions
Is there a contract now between the customer and the company?
Legal analysis according to GDPR:
You can argue there is a contract just by providing a phone number verbally, but it will be impossible to prove what was agreed. A confirmation by the customer by a SMS is a good way to prove that there exists a contract. Where a customer is silent or inactive regarding the earlier request for membership there is still no proof of what was agreed or said by the counter in the store. Sending a follow up request is a step in the right direction to obtain acceptance of the terms and conditions. However, most probably the company have the same risk as in above examples one and three.
Example 5. Customer gives opt-in on a second display at the POS
The customer types in its information on a tablet at the cash desk. After entering the mobile number they are asked to confirm the legal terms and conditions.
Is there a contract now between the customer and the company?
Legal analysis according to GDPR:
This is the most clear version of an entered contract. If your company would have the possibility to register new members this way, there would not be room to doubt the legal ground for processing customer data. The sequence of event should be that the terms and conditions are given. The customer accepts it and then its personal information gathered for processing. After giving its personal information, a contract could be claimed to be entered.
Verifying membership at point of purchase
A situation that often arises within the retail industry is the possibility for customers to verify their membership by providing a phone number or personal number at the cash desk.
We made some notes in this chapter that can be helpful to know. Article 6-7 and Recital 32 of the GDPR tell us the law expects. These scenarios below may be of help.
Example 1a: Should the company still provide the possibility of customers identifying as members?
Yes. Here are a few scenarios based on popular ways of identifying customers
Personnummer
If you have second displays in the store you can allow the customer to scan a driver’s license themselves or hand in some ID or driver’s license to the cashier. If a customer does not have a driver’s license it is preferred they can write down their social security number so it is not overheard by other customers.
Mobile number, email
If they need to pass a mobile number and/or email to identify themselves we don’t recommend they will pass on their mobile number verbally. Preferably the customer can type their mobile number onto a second display screen for example.
What is important in both cases is what kind of information you display upon identifying a member.
Example 1b: Could the cashier verify the customer’s membership if the customer tells its information verbally?
We don’t recommend customers passing information verbally as this can be overheard by others. If a customer does not have an ID card or the possibility to enter their data themselves on a second display you can always ask them to write it down on a paper. The cashier must be trained not to provide any personal information or additional information to the person. One more routine could be to destroy papers containing personal information.
With this said the cashier is verifying the customer’s membership.
Example 2: Can you display bonus points earned to an identified member?
Yes. Display of customer bonus point may not be considered as personal information under the GDPR. Displaying on a second display that the member has certain bonus points without disclosing any information regarding personal data should be ok. Simply ensure that no other information is displayed intentionally or accidentally.
Consent as legal ground
Most retail companies’ Data Protection Officers (DPO) have probably chosen contract as legal ground. We made some notes in this chapter that can be helpful to know in case your DPO would choose consent as legal ground. Article 7 and Recital 32 of the GDPR tell us what the law expects. There is no doubt that consent is very difficult to comply with compared to the contract-clause but these scenarios below maybe of help.
Example 1. Customer gives consent by giving its name and phone number to the cashier to become a member
Legal analysis according to GDPR:
For a valid consent, the cashier must first ask the customer if they want to be a member and tell all relevant information before asking for their consent. The cashier should tell the customer the purpose of asking for its personal information. An example could be that the cashier says “we will process your information in order to send newsletters per email, send our monthly magazine to your home address and register bonus points for every purchase that you make”. The customer MUST agree to all these purposes by saying “Yes”. A verbal consent has been given but there is a risk with relying solely on verbal confirmation. The main concern is that there is no proof of this person accepting the terms and conditions, nor is there proof that the store staff provided the correct information. In the event of a compliance investigation or legal cause, there is a big risk that the retailer lack the requirements of GDPR and becomes subject to high fines.
Example 2. After passing the phone number the customer accepts the terms and conditions verbally
Legal analysis according to GDPR:
This is also not related to consent. The customer has to separately give consent and also agree to the terms and conditions. The company can receive and process the given personal information after the customer has given their consent and agreed to the terms and conditions. We advise that you get consent and agreed terms and conditions in writing.
Example 2. Customer confirms via SMS
Legal analysis according to GDPR:
When a customer gives consent digitally and agrees to the terms and conditions, this should be clear that you are requesting both. The terms and conditions should be separated from the request for consent in the SMS.
One example is to ask for both consent and acceptance to terms and conditions by replying “Yes to consent and terms” in two separate SMS replies. Another example is to redirect the user to a url with multiple checkboxes to cover both consent and terms and conditions.
The URL should present the options to give consent and the procedure to withdraw consent or deny consent. The URL could say
- ☑ Consent given for all purposes;
- ☐ Consent denied,
- ☐ Consent for some of the above purpose (a drop down of which purpose should be provided for the customer to select)
This should likely come before the terms and conditions of the service contract is sent. The SMS could be formulated like this:
“Welcome to the club! Here are the terms and conditions. Please reply “Yes” to confirm you agree with the terms”.
After the customer has answered the sms you could send another text with the following:
“Thank you! We are glad to have you in our team. In order for us to provide the benefits as a membership means, we would like to ask for your consent to use your personal data. This will be used to send advertisement regarding campaigns, register bonus points and occasionally send emails to inform about offers. Please type “Yes” Please reply “Yes” to give your consent to this.”
Example 3: Customer receives second reminder via SMS
Legal analysis according to GDPR:
This happens when the customer has not responded to the first SMS. It is normal normal applaudable that a reminder is sent. For a valid consent, the customer must respond either allowing or denying you access to process their personal information one way or another. This is because silence is not valid consent.
Example 4a: Customer gives opt-in on a second display at the POS
Legal analysis according to GDPR:
The second display should boldly and plainly show the consent form (content must follow all the GDPR requirements). The customer must feel that it has the options to opt-in, withdraw consent (procedure for withdrawal should also be stated there) and possibility of erasure should be included too.
Example 4b: Terms and conditions includes a section for obtaining consent from customers
Legal analysis according to GDPR:
The request for consent by the company must be clearly distinguishable from all other terms and conditions. This can be achieved by stating every purpose the company has for processing data. Consent must be requested for individually and separately. The customer then has the choice to opt-in on which information its gives consent to separately as well.
Verifying membership at point of purchase
A situation that often arises within the retail industry is the possibility for customers to verify their membership by providing a phone number or personal number at the cash desk.
We made some notes in this chapter that can be helpful to know. Article 6-7 and Recital 32 of the GDPR tell us the law expects. These scenarios below may be of help.
Example 1a: Should the company still provide the possibility of customers identifying as members?
Yes. Here are a few scenarios based on popular ways of identifying customers
PersonnummerIf you have second displays in the store you can allow the customer to scan a driver’s license themselves or hand in some ID or driver's license to the cashier. If a customer does not have a driver’s license it is preferred they can write down their social security number so it is not overheard by other customers.
Mobile number, emailIf they need to pass a mobile number and/or email to identify themselves we don’t recommend they will pass on their mobile number verbally. Preferably the customer can type their mobile number onto a second display screen for example.
What is important in both cases is what kind of information you display upon identifying a member.
Example 1b: Could the cashier verify the customer’s membership if the customer tells its information verbally?
We don’t recommend customers passing information verbally as this can be overheard by others. If a customer does not have an ID card or the possibility to enter their data themselves on a second display you can always ask them to write it down on a paper. The cashier must be trained not to provide any personal information or additional information to the person. One more routine could be to destroy papers containing personal information.
With this said the cashier is verifying the customer’s membership.
Example 2: Can you display bonus points earned to an identified member?
Yes. Display of customer bonus point may not be considered as personal information under the GDPR. Displaying on a second display that the member has certain bonus points without disclosing any information regarding personal data should be ok. Simply ensure that no other information is displayed intentionally or accidentally.