Discounts & Data: GDPR for Retailers

Oct 17, 2019 12:00:00 AM | EU Discounts & Data: GDPR for Retailers

What does the GDPR really mean for you as a retailer? Well, as is often the case with a subject like privacy: it depends. After you’ve determined that the GDPR is applicable because personal (identifying) data is involved, let’s take a look at today’s retail business operations and what it entails. We will go through specific aspects of direct marketing, e-commerce habits, and even efforts made for compliance offline, to get a better understanding of what the GDPR means for retail.


A common question that many businesses have regarding privacy is whether their way of doing business is in line with the GDPR. In the retail business, both digital and physical aspects of data protection are intertwined in a unique way. In this blog post we will analyse the most important aspects in this matter, which might make a major splash in your privacy pond.


If you sell from a physical shop, you’ll typically handle less personal data, simply because there are fewer ways that your customers will need to interact with you, therefore less data is necessary for a purchase. What you collect online will however help you offline. If you sell online, or are a distance seller, your customers typically may need to share more of their personal data during their buying journey. Not a lot of offline stores register addresses or view patterns for instance. Therefore, online retailers may well have a greater data protection burden than an exclusively physical store would. Distance sellers using catalogues and telesales may also have a fair degree of personal data on those to whom they sell, conventionally not as extensive as online retailers, but it might be considerable.

Direct marketing

Newsletters and other direct marketing tools are naturally a great way to get your latest offers delivered to the right target audience, and these channels are therefore widely used by many businesses across the retail spectrum. One of the questions that is frequently asked is whether with the GDPR in place, would mailing lists based on opt-out consent, or those purchased, would now have to be deleted or pushed aside. To answer this question, we have to revisit the who and the how. This might differ somewhat from country to country, as telecommunication laws differ, but the overall general strictest criteria to this are the following.

If there are individuals on your mailing list (that includes customers but also traders and partners), you don’t have to worry if:

You have acquired and registered affirmative, specific, opt-in and informed consent recently from the individual to include them on the mailing list. That means no pre-checked boxes and providing a privacy policy for instance. If you didn’t acquire the personal data yourself, individuals should have been informed about the categories of third party you belong to that would receive their data.

They were able to opt out of receiving the marketing communication at the time their data was collected.

You now provide an easy opt out in each marketing piece you send.

You should check this carefully however - if you don't, you might get in trouble if you keep and use the personal data. When the above criteria doesn’t apply, you may still rely on the single exception to this rule for having individuals’ data on your list: you may include them if the individuals are existing customers who bought a similar product or service from you in the past, you informed them sufficiently, and you gave them a simple way to easily opt out, both when you first collected their details, and also in every message you have sent since.

If you’re dealing with businesses, there’s no need to delete what’s in your database if:

You (e)mail any corporate body directly (for instance via an email address like
The company isn’t located in the EEA
You have their consent

Third-party marketing services

Many businesses use third-party marketing tools to supply them with advanced statistics on their marketing efforts. If you’re outsourcing any of your marketing activities, you might want to have your legal department take a look at the terms of contract like DPAs and terms of use, as well as your own privacy policies. These should show that both you and the organisation supplying marketing services on your behalf will be processing your customer’s data in line with the EU privacy regulation. 

General information collected via website

Chances are, you have a website already, or are doing most of your business online. Anyone buying anything online needs to supply personal data in order to make payment and delivery arrangements possible. You not only need to inform visitors about this processing, which relies on the legal basis of contract, but naturally also about all other activities using their data.

It’s likely that you will have the ability to view a customer’s past purchases from within your e-commerce software, and the characteristics of your customers will become more and more clear: their gender, dietary preferences, whether they have kids, any medical conditions, or if they have any pets, just to name a few. All of this information could allow you to cluster your customers into different demographics, which then you may then use to tailor your marketing strategies, appealing to different types of customers.

The above mentioned profiling is restricted by GDPR. So, not only do you need to take appropriate measures to protect this data and inform the individual, you might also be required to make an assessment of the risks involved in the form of a DPIA.

Additionally, the GDPR restricts decision-making without human intervention that might have serious negative impacts on individuals. The latter would include for example automatic refusal of credit cards, employee work evaluation, and (parts of) e-recruiting practices without human intervention. 

You can only carry out this type of automated decision-making when it is:

Necessary for contract related reasons - which means you should ask yourself if less far-reaching alternatives couldn’t be an option
Authorised by EU or national law
Based on the individual’s explicit consent - explicit consent goes further than mere consent, requiring the data subject’s signature, for example

Additional restrictions apply for special category personal data like sexual orientation, genetics and health, as well as for automated decision-making involving children. 



At the till

It’s likely that your till transactions are made via a payment provider - and so it’s actually this party, not you, that records payment data such as card details. You are still responsible however: in the interest of fair and transparent data processing, your customers should be able to know who the recipients of their personal data is, and how they process their payments.

Like online businesses, offline retailers can also get a good idea of customers’ shopping behaviour. While online businesses can typically access this information from their e-commerce software, offline retailers may use a number of creative ways to learn about those who shop in their store.

Offline customer profiling 

Before the GDPR came into force back in May 2018, if customers had given their contact info whilst purchasing a product, many retailers would simply add these to their database. However, as we all know, this doesn’t count as consent, and is certainly not in line with the GDPR.

Today, customers themselves will have to tick a box or take a similar informed, affirmative and documentable action, so that they can be said to have opted in to receive marketing communications from you. One of the ways to streamline this is by creating accounts and logins on your website. 

Customers might get tired of these eventually, so you’ll need an incentive. Luckily, everybody loves discounts and a personalised experience. Therefore a lot of customers are willing to supply their data and opt-in for a wide variety of business communication to get a little bit of extra service, or to be a part of loyalty programs and promotions including discounts. Do note that if consent is made to be a precondition to the service, but the tracking is not necessary for that service, consent is deemed to be invalid.

Whether it is through point-of-sale questionnaires, loyalty cards, or discount cards that log customer’s purchases, these are all considered profiling - and you’ll presumably be collecting a large amount of personal data. So again, you need to take appropriate measures to protect the data and inform the individuals, as well as possibly being required to do a DPIA. Additionally, you should check if decision-making without human intervention is involved, and act accordingly.


Many offline retailers learn from their counterparts online and send their customers electronic receipts via email. This is not only great from an environmental perspective, it also enables you to use email as part of your marketing strategy.

Do keep in mind though, that when you send your customers email receipts this does not necessarily mean that you can send them marketing messages too, as they have not opted in for that. 

Like with third party e-commerce providers, if you use third parties to send receipts, don’t forget to check how these third party processors are using your customers’ data. You should find out exactly how their personal data processing works and whether it is compliant - check the terms, or contact them in person, be it via phone or email.



Physical security is important for retail, especially when your till holds a significant amount of cash. Do you sell diamonds, or have a big number of customers who pay in cash? In any case, to keep the classic masked mugger from breaking open your safe and ruining a week of earnings, you might be considering to secure your money holding equipment with biometrics. This summer, a Dutch shoe retailer had the same solution in mind, when it required employees to open its tills by fingerprint. The Amsterdam District Court recently decided the retailer was in the wrong. A lot can be learned from this case about the handling of biometrics.

First off, the use of biometrics for access control is not specifically discussed in the GDPR. It does say that the processing of special category data like biometric data is forbidden unless a limited number of legal bases apply. These are limited and range from processing in the public interest, to processing for the protection of the data subjects’ health. None of the criteria applies in this case.

The GDPR also grants EU Member States the option to make choices regarding biometrics in their national legislation. If you are considering the use of biometrics, these should be considered. In the case of the Dutch shoe retailer, we have to take a look at the Dutch implementation of the GDPR, the UAVG, which grants the use of biometrics when the processing is necessary for authentication or security purposes. Based on this information, you would think our retailer was in the green.

Because the retailer forgot to map out whether using a fingerprint really was the only option (by performing a DPIA), the Court found the processing unproportionate and the retailer therefore non-compliant with the GDPR

This judgment was one of the first of its kind under the EU privacy regulation. The most important takeaway from it for retailers is that there must not only be a solid and lawful reason for the collection and use of biometric data, but that it also must be proportionate and the decision substantiated by performing a DPIA. 

There are other uses for biometrics, of course. In retail, one might think of AR, showing customers themselves wearing the clothes they are browsing. The list of legal basis that might justify the use of biometrics outside of security is limited however, and this makes biometrics in retail potentially troublesome. 



It may not be the most obvious, but your old CCTV shouldn't be overlooked either. It also counts as personal data. In the event that your store has security cameras, the images they capture are considered personal data since they enable you to identify individuals. The rules for special category data apply here, since the CCTV images will probably reveal special category personal data, like either racial or ethnic origin, data concerning health, or data concerning a natural person’s sex life or sexual orientation. 

So, to comply with the GDPR, you’ll have to put up a clearly visible sign that declares that CCTVs are present, and the reason behind their operation (or a link to your pivacy policy). Concerning your employees, they should be informed before they start work at your business. It’s important you only collect, use, share and store the images from the CCTV for particular, relevant reasons, after which you erase the pictures immediately when they’re no longer needed. What is less obvious, is that to comply with data quality obligations, the CCTV images should be clear and of a high quality. The images should only be accessible by authorised personnel, and security measures should be in place covering its storage, to comply with data security obligations. Your customers might also ask you for their images, as is their right, for instance when they have been pickpocketed and suspect it took place in your shop.


Geospatial tracking

Retailers have implemented fact-based decision making for a long time. To survive in the digital age, this practice is now taking a new direction. In addition to implementing advanced-analytics tools, companies are collecting more and more data to make sure they are making informed business decisions. One such example would be the deployment of new technologies such as beacons and WiFi-tracking to capture behavioral data. 

This technology is used for many purposes, including the production of heat-maps of websites and spaces, counting passers-by, and analyzing people’s movement and visits. This can of course be extremely useful for businesses to better understand the use of their floorspace, hence it’s popularity. 

Often this technology uses the MAC (Media Access Control) addresses and/or trilaterated locations of personal devices owned by data subjects. Since both can be used to identify individuals, the MAC addresses and location data are considered personal data, and require adherence to the GDPR. So whether you are considering implementing these technologies, or have already done so, there are some data protection issues to consider.

While there might be alternatives on the market for MAC addresses (hashed or encrypted versions), these would often be considered pseudonymous, and not anonymous. Pseudonymised data can still uniquely single out a single device belonging to a natural person and therefore falls under the scope of the GDPR. Once the data is truly anonymized (e.g. aggregated with a very significant sample size), so it can no longer be traced back to an individual, it will be out of scope of the GDPR, and can be used. Currently, the initial collection of data cannot take place on an anonymous basis, making the GDPR applicable.

You might want to consider who is the controller ultimately responsible for WiFi-tracking. In case the hardware is placed in a shop by a third party service provider, and the data is then made available directly for purposes pursued by the service provider itself, this third party may be deemed to be responsible for the processing. If you use WiFi-tracking for your own purposes, with your own hardware, using third party software, it is quite likely that you are the controller, and the third-party processor. 

Besides properly informing individuals that their data is being collected, the GDPR requires a legal-base to be present for any processing of personal data. Some retailers might choose to “trade” tracking for free WiFi, asking for consent during the login process. If consent is made a precondition to the service, but the tracking is not necessary for that service, consent is deemed to be invalid. Consent to WiFi-tracking should therefore be given as an opt-in, a non-required option. Additionally, individuals’ should be able to opt-out at any time. 

Another legal basis that might be considered is “performance of a contract”, which would imply that some sort of business relationship would exist between the customer and the retailer. One of the ways to explore this is to use an aforementioned loyalty or discount program. Not all your shop visitors, or even customers might subscribe to such promotional programs however. 

The last and most troublesome legal basis you might consider is “legitimate interest”. Here, the economic interests of businesses to get to know their customers by tracking should be balanced against the rights to privacy of these individuals. In this respect, you should consider the reasonable expectations of the individual and their relationship with you (for instance, are they a customer, or just passing by your store in the street? Do you have purely commercial interests?). The whole balancing act should be well documented and its essence explained to the data subject, for instance, in a privacy policy. The Dutch Supervisory Authority (AP) stated in this regard: “There are virtually no causes that justify the tracking of shoppers or travellers. Moreover, there are less intrusive methods to achieve the same goal, without violating privacy.” It is unclear however, what other measures there are to analyse how groups of people behave in an area with roughly the same effectiveness and insight.

For the moment, it seems WiFi-tracking remains in the gray. Eventually, we will have to see what impact the upcoming ePrivacy Regulation will have. In the end, the solution might be finding a way to properly anonymize data right at collection, preventing privacy legislation from being applicable, and the data free to use. 



Hopefully by now you’re feeling confident about your own efforts in complying with the GDPR, and have a clear handle on what you need to do as a retailer to handle your customers’ personal data correctly.

No matter whether you’re selling to individuals or businesses, online or offline, data today is a major asset for further growth for businesses, period. As data grows to become invaluable, the need to further secure that data also grows. As a retailer, you will be gathering a significant amount of data from your customers and employees, be it through security measures, targeted ads, brand awareness campaigns, discounts or loyalty programs, or just a direct communication line with customers. 

With all this in mind, it’s important to redouble your compliance efforts. From clearly showing customers the why’s and how’s of collecting data on your website, to physical notices in your shop, moving towards compliance will improve security awareness, bolstering disaster recovery, and business continuity plans. It will increase trust from current customers and open further opportunities to attract increasingly data sensitive prospects to your products or services. But above all, it allows you to sell more - safer.