The hidden truth behind e-receipts: are they a privacy backdoor?

Every piece of shared information leaves a digital footprint. But while customer data is a gold mine for the e-commerce industry, the emergence of e-receipts could be another way to collect private data.

An e-receipt is a digital record of a financial transaction issued by a seller to a buyer. This form of receipt is typically delivered via email or through a mobile app after a purchase has been made online or in a physical store.

As commerce is pushing towards digitalization, e-receipts have emerged as an environmentally friendly alternative to their traditional paper counterpart. For example, coffee giant Starbucks saved 17,000 rolls of paper in just two months by issuing digital receipts.

E-receipts not only contribute to reducing paper waste but also offer convenience by allowing consumers to organize and access their purchase records digitally.

However, this digital record-keeping of the customers' transactions has a dark side to it. Audits by the Data Protection Commission (DPC) showed that in a number of cases, customers’ email addresses gathered for the purpose of issuing e-receipts were subsequently used by retailers to send marketing materials – potentially violating privacy laws.

Surveillance economy

While access to data about your purchases might be beneficial in some cases – retailers could send you discount coupons or offer similar products, for example – there’s always the question of privacy and safety.

“We live in a surveillance economy. The more data any company can gather on you, the richer the profile they have on you. This will make marketing and other manipulative tactics that much more effective,” personal cybersecurity expert James Wilson told Cybernews.

From his perspective, some retailers keep the information in-house for marketing purposes, while others might sell the data to data brokers.

“I hate to go all tin-foil-hat, but the more you can employ privacy-friendly tactics in your purchases and activity, both online and offline, the less marketers and other third-party actors will be able to manipulate your behavior,” he added.

Transparency and the right to opt-out

According to the DPC, at the point of purchase, customers must be told that they’re being asked for their email to receive an e-receipt. It must be made clear that giving their email is optional, and they can still get a hard copy receipt from the till if they prefer.

“There are laws surrounding email marketing that must be followed. You cannot gather a person’s email address from an e-receipt and then start sending them emails that they cannot opt out of. They must consent to this form of marketing, and it must be clear that such emails are, in fact, advertisements,” Benjamin Michael, Attorney at Michael & Associates, told Cybernews.

If emails are gathered to issue e-receipts, and the retailer plans to use them for marketing purposes, regulations require that the customer is informed beforehand and offered an opt-out. Customers should also be provided a simple way to opt out of being contacted for marketing reasons at any time.

Failing to do so may result in penalties, as it would violate the General Data Protection Regulation (GDPR) and the ePrivacy Regulations that are in act throughout European countries or the CAN-SPAM Act in the US.

“Companies should be mindful of how they should use the customers' data collected for issuing e-receipts. Customer information can be used for marketing, given that they are given the option to opt-out. Retailers may use Regulation 13(11) of the ePrivacy Regulations for direct marketing; however, there are requirements that need to be fulfilled, such as giving customers the option to object both when data is being collected and with every marketing message,” Harrison Tang, CEO and Co-founder at Spokeo, told Cybernews.

Additional rules include that the advertised product or service should be similar to what the customer bought when their contact details were collected. Furthermore, this purchase should have occurred within the twelve months preceding the sending of the electronic marketing communication.

Cybersecurity risks

Another issue with gathering customer data to issue e-receipts is cybersecurity. No system is immune to hacking, and many in the industry lack all the necessary cybersecurity measures. This puts customers’ data at risk, as the retailer's system can always be hacked and the customers’ data leaked.

“The risks involved in collecting and storing customer data through e-receipts include cyberattacks and data leaks, which could expose customers' personal and financial information to hackers or unauthorized parties. This could result in identity theft, fraud, or legal actions against the retailers,“ Gary Huestis, an Owner and Director at Powerhouse Forensics, told Cybernews.

Companies should be transparent about how the customers' data is stored and what cybersecurity measures they are taking. Jake Munday, co-founder of retail shop Custom Neon in Los Angeles, told Cybernews that even though they issue e-receipts, they always allow customers to opt-in to marketing communications rather than assume consent.

“This approach is not only legal but also builds trust with our customers. With the risk of cyberattacks and data breaches, it’s important for businesses to implement strong cybersecurity measures. We invest in secure data storage solutions and regularly update our security protocols to protect customer information,” he said.

More from Cybernews:

Entire population of Brazil possibly exposed in massive data leak

Critical Xwiki vulnerability risks RCE attacks

American consumers will accept ads on streaming if it saves cash

Attack on defense contractor Ultra I&C leaks military details

China claims to have cracked AirDrop encryption

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked