Although winning and maintaining customer loyalty is a key goal for any retailer, it is especially important for businesses that specialize in niche products. Take the example of "Carets". Carets is a multichannel retailer that sells every product a guitar player and enthusiast may need - all types of guitars of course, but also sheet music, strings, metronomes, books about guitar music, course material, etc. To obtain a more cohesive view of customer buying preferences and loyalty in its stores, Carets would like to partner with a payment processing and marketing company. Such companies offer click-easy access to periodic or targeted key reports about customer transactions on the basis of the shop owner's payment data.
Carets would, among other things, like to identify the busiest days in its brick-and-mortar stores by calculating average sales and transactions and the overall total per sales ticket. Analysis of payment data also could help Carets generate marketing campaigns that drive measurable results. A further effective feature is the ability to track new versus repeat customers. More specifically Carets would be able to know its top 100 customers ranked by total amount spent for all time or to click on a customer name to see a full customer history and edit profile details.
But what about the data protection legislation? Is it permitted to process customer payment data for marketing purposes?
Keeping track: not prohibited as such
At least for customers who don't pay with cash, retailers need to process payment data in order to execute the payment itself. The question is whether these data can also be used for marketing purposes. Is it, for example, allowed to link all transactions performed with the same credit card together in order to have a view on the buying profile of that particular customer?
Under currently applicable European data protection rules, the answer is positive. However, the customer should know. When he shares personal data, such as credit or debit card data - with a retailer, he has an expectation about the purposes for which the data will be used. There is a value in honouring this expectation. To put it simply: if payment data are processed for more than merely executing the payment, the customer should be informed in one way or another about this further purpose.
Purpose limitation is a cornerstone of EU data protection legislation. It inhibits ‘mission creep', which could otherwise give rise to the usage of available personal data beyond the purposes for which they were initially collected. This doesn't mean that data that have already been gathered may never be genuinely useful for other purposes, not initially specified. There is a value in allowing some degree of additional use but only within carefully balanced limits. Keeping track of your own customer's buying behaviour via an analysis of his payment transactions in your shop, is therefore not considered as something entirely incompatible with the purpose for which the payment data are being collected. The condition is that the customer should be made aware of it. In an electronic commerce environment, this awareness is often created by providing each customer access to his own account profile.
Controller remains liable
Is it legally permitted to partner with a specialised company to carry out the analysis of the payment transaction data and provide, for example, monthly overview reports? The answer is again positive because no law forces the retailer to do everything himself. Processing payment and other personal data is something that may be outsourced to a specialist. From a legal point of view, the responsibility remains with the retailer. In the EU data protection legislation, the retailer will be designated as ‘the controller'. The specialised company that actually carries out the processing is called ‘the processor'. The most essential rule about the relationship between a controller and a processor is that the latter should never further use or communicate the data beyond the scope of the outsourcing.
Direct marketing: right to opt-out
Keeping track of your customer's buying behaviour by analysing his payment data is one thing. Another thing is to actually use this knowledge in practice and to send marketing messages to this customer about other interesting opportunities you can offer him. This further step will, evidently, only be possible if the customer has left contact details such as a home address, a phone number or e-mail address.
Under EU data protection rules everybody has a basic right not to be bothered by direct marketing messages. In practice this means that the retailer who will start to send messages to his customer has to inform the latter about his right to opt-out. The use of e-mail for direct marketing purposes is in principle only possible after prior consent (‘opt-in'). Prior consent is however not needed if the e-mail address of the customer has been communicated by him in the context of a previous transaction. To summarize: sending direct marketing messages to existing customers, via e-mail or otherwise, is legally permitted under the condition that the sender respects the customer's right to opt-out.
Sharing payment data: only after informed consent
Let's go back now to our initial example. Does EU law allow Carets to share its payment data with other merchants? Or with a specialised direct marketing company?
This further step will only be legally permitted if the customer gives his informed consent. Sharing payment transaction data for direct marketing from other merchants or for other products or services will be considered as something incompatible with the purpose for which these data have been provided.
In Belgium, courts have decided that this is also valid within one company. Banks, for example, have been sanctioned for having infringed data protection rules. Analyses of money transfer orders executed by the bank were re-used to select prospects for direct marketing about the bank's insurance activities.
Processing and re-using payment data for marketing purposes is consequently primarily a matter of meeting the customer's reasonable expectations. And isn't respecting such trust relationship, after all, an essential rule in a business context always and everywhere?
