TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to apply the GDPR data minimization principle to online sales Related reading: How opt-in consent really works



Online services and online sales are some of the areas that have potentially the most to gain and the most to lose as a result of privacy concerns. It all very much depends on the core privacy principles being correctly implemented or not.

It is important to keep in mind that many privacy laws and regulations, including the EU General Data Protection Regulation, have been implemented not only to protect consumers, but also most of all to instigate consumer trust necessary for the online services and sales to grow. The lack of trust and anonymity have been considered for a long time — and still are — some of the key barriers for the industry and the main reason why some will always put shopping offline first.

Many people rightfully ask: How is it possible that buying some item in real life involves, lawfully, often times only payment (unless for some special goods like prescription medicines, which may involve some identification), whereas buying the very same innocuous goods online involves (in addition to the digital footprint itself) handing over your name and surname, full address, email and phone number, registering and associating your purchase and history of your orders, activities and shopping preferences with your unique identity, etcetera.

By asking this question, consumers ask in a fully legitimate and justified way whether the process correctly implements the data protection principles and, most of all, the principle of data minimization. Unfortunately, such questions are often times dismissed or ignored by the industry, thus failing to reap the great potential benefits of increased online sales.

Without addressing the data minimization in a proper and creative way, which needs to take into consideration abilities and limitations of the online environment, implementing the GDPR results sometimes simply in longer notices or more annoying consent windows. This is very regrettable, and it also means that consumers will be less likely to be satisfied.

Applying data minimization in the correct way, on the other hand, means that the process as such is much easier and user-friendly. Less data to be provided results in an online transaction to be quicker and more efficient, which is of primary importance for consumers and online retailers.

What are the main considerations under the GDPR?

Even though the GDPR does not say explicitly that individuals must have the option of not identifying themselves or of using a pseudonym, it is still clear enough that this should be the way to go in many cases.

According to the GDPR, personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In addition to that, the GDPR principles require data to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and also to be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

These rules are not only reinforced by encouraging using anonymous data — and, when not possible, pseudonymous data — but also by the provisions about processing that does not require identification. These provisions, on one hand, limit some of the obligations of controllers, but on the other hand, result in a firm message that the data minimization should go first, and the GDPR requirements may not be used as an excuse to collect more data than otherwise would be needed. Thus, if the purposes for which a controller processes personal data do not or no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR.

In the context of online sales, the GDPR rules relating to consents and contracts are of great importance. This is because the primary legal basis for processing of personal data on such occasions is the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. However, apart from that, consents for additional processing activities (e.g., optional user accounts or preferences) are usually also being sought. This distinction and its consequences might be not always fully clear to the data subjects. Moreover, once the transaction takes place, legitimate interests of the controller, with opt-out mechanisms, are often times used for direct marketing activities.  

According to the GDPR, the consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data-processing operations despite it being appropriate in the individual case or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

All these considerations and rules, together with the data protection by design and by default, which effectively should result in data minimization and pseudonymization (where possible) being implemented into the process itself, lead to the conclusion that full contact details of consumers, including their official identity, should be sought only when relevant and needed for the transaction itself.

What are the consequences, and should we apply them in practice?

As it is quite clear that full contact details and official identity (name and surname), should only be sought when needed and relevant, the process itself needs to be understood and redesigned accordingly.

First of all, collecting such details would be only justified if the details were verified as to their veracity, and such verification would be necessary for the process itself. Thus, it should be clear that if providing "John"/"Jane Doe" in your contact details will not prevent the goods from being sold and delivered, abstaining from providing your official name and surname should be a viable option.

Second, shipment and payment providers are considered separate controllers, and they have distinct — although related — services to provide. This means that the data they might need for the process is not exactly the same data the online store will need, and sharing such data between these independent parties should not take place unless necessary.

From a practical point of view, payment providers usually have separate online forms or gateways that allow for the payment data to be provided to them directly, and a unique transaction number may suffice to associate the transaction with service/goods to be delivered. More creativity and adjustments might be required when it comes to the current shipment practices. Still, the GDPR is meant to instigate a new approach to processes and services, and there are various technical developments that should allow for a package to be collected based on a unique number or password to be provided or electronically inserted. Also, the customer does not need to pay for the goods herself, and the goods might still need to be delivered to yet another person. Collecting and associating all these details together by one company might be completely unnecessary for the transaction itself, even though, for example, the same transaction number might be used to make sure that payment was received and goods delivered as intended.

Last but not least, warranties, potential claims and taxes should not be used as an excuse to identify consumers. The same way as when buying goods offline, unique product number and transaction details should fully suffice, unless specific laws and regulations require more data for a very good reason. 

photo credit: Maik Meid Euro Scheine 1 via photopin (license)


If you want to comment on this post, you need to login.