High street stores and personal data: know your rights
Most of have been there. We're in a shop, just about to pay for our purchases, or sort a refund, when the assistant asks for "a few details"; usually our full name, our home address, and our email. Even if we're only buying a pair of shoes, or returning a scented candle, many of us will hand over this information without understanding why it is needed.
For some, it's about not making a scene. The assistant is friendly, and they appear to be in no doubt as to why they are asking for our personal information. Also, there's often a growing queue of people who aren't going to be happy with a customer kicking up a fuss and holding up the line. So, what should you do?
What should you do if a store asks for your personal information?
Put simply; the shop doesn't NEED your details. Even television retailers, who previously had to request these to send to TV Licensing when they sold or rented out equipment, no longer require this info from you.
And with stringent data protection laws now in place following the introduction of the General Data Protection Regulation (GDPR), you are entirely within your rights not to hand this over.
Do shops need personal data for a refund?
If you've challenged why the shop needs this information, you might have been met with a vague response; "to process the return", "for our records"...that sort of thing. However, we all have a statutory right to return faulty goods and, should you wish to change your mind about a purchase you simply need to do two things:
- Keep hold of the receipt
- Check out the shop's returns policy before you buy.
Unless the return policy states explicitly that you have to hand over this information (and most of them don't), then they cannot force you to. If the policy does state that it needs your personal information, you should still query why with a manager as this is not a legal obligation.
Why do retailers want this information?
Stores use your details for different purposes, most often for security, for marketing, and to improve the customer experience. You might like the shop retaining information about your shopping habits to help improve their service to you. For example, if you buy a particular shade of lipstick but can never remember the name, with access to the right info the shop assistant can find out that your preferred shade is 'Frosted Pink.' Also, most of us like it when we are offered discounts on our favourite buys.
That's fine. It's your choice. But even if you are happy with this, to protect your sensitive information, you should still care about how your personal details are stored.
What are retailers allowed to do with your information?
Any personal data we provide (e.g. email addresses collected at the point of sale) is protected by UK data protection regulations. This means that it must be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
For example, if an email address is given so that you can receive an e-receipt, then your data can only be used for this specific purpose. There is no issue with a shop offering an e-receipt, but if your email address is then used to send you marketing emails without your consent they might also be breaching electronic marketing rules. You also do not have to give your email details to a retailer, and you can ask to receive your receipt in the normal way.
If a shop does want your data to market to you, then they must make it clear that this is why they are asking for your information, and you have to give your consent before they can do this.
How is your data protected?
With more and more shops using computers to store and process personal information, The Data Protection Act (the UK's interpretation of the GDPR) sets out how it can be used; and how it can't. The basic things you need to know is that:
- Your personal data should be processed fairly and lawfully
- It must be obtained only for a specified reason and can't be handled in a way that is incompatible with that purpose
- The information held must be adequate, relevant and not excessive when compared with the purpose for which it is to be used
- It must be accurate and, where necessary, kept up to date
- It must not be kept for longer than is necessary for the intended purpose
- It must be processed in accordance with the Data Protection Act. This means that it must be kept safe and secure, and that appropriate measures will be taken against unauthorised or unlawful processing of this information, as well as against accidental loss, destruction, or damage. So, businesses must keep the information backed up and away from any unauthorised access
- No company can sell or give away your information without your explicit consent.
What should you do if asked to hand over your details?
In most cases, we trust these retailers. Why wouldn't we? They are high street shops, with familiar names, big shiny signs above their windows and friendly authoritative staff. So, it can be easy to assume that they wouldn't ask us for our address if they weren't allowed to do so. We also trust them to hold our information safely once given.
However, in 2018, high street chemist Superdrug was held to ransom by hackers. The cybercriminals contacted Superdrug claiming to have accessed the details of 20,000 customers.
The compromised data included names, addresses, dates of birth, phone numbers, and point balances. And, while no bank or payment card details were believed to have been accessed, the information stolen is already enough to cause severe distress to those affected. And this is just one example of a high street retailer being hit by a data breach.
Today's cybercriminals don't just care about our financial details. They can also cause havoc with our personally identifiable information. In fact, with enough data, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.
So, should you hand over your details? Well, as with most things, you have a choice. A choice to ask questions, and a choice to exercise your own free will based on the answers that are provided to you.
While we have previously been content to hand out our personal information, with a huge jump in cyber fraud, it's perhaps no wonder that consumer confidence is now lacking, and that data breach claims are on the rise.
Can you make a data breach compensation claim?
When a breach happens, it's vital that the Information Commissioners Office (ICO) investigates. If the company is found responsible, the ICO will then issue a fine.
However, such fines are little compensation for victims who have suffered financial loss and/or stress due to an organisation's negligence. So, while the ICO does not award data breach compensation, our data breach solicitors can help you with that.
At Hayes Connor Solicitors, we've been helping people to get the compensation they deserve for over 50 years, so we know what it takes to make a successful data breach claim.
Data breaches often have severe consequences for those affected, and you could be entitled to thousands of pounds in compensation depending on your circumstances. And, because we offer no-win, no-fee funding arrangements, you have nothing to lose.