Since August 1, 2023, a new regulation aimed at reducing massive waste has come into effect, ending the systematic printing of receipts. This change involves new rules to be followed, particularly concerning the collection and consent of customer data. What exactly does this entail, and what solutions are available for merchants? Let’s break it down together.
Which Receipts Are Affected by the Systematic Printing Ban?
According to Article L. 541-15-10, IV, 1° of the Environmental Code, the receipts targeted by the ban on systematic printing and distribution are as follows:
– Cash register receipts
– Card payment receipts
– Receipts produced by vending machines
– Vouchers and promotional or discount tickets
What Are the Obligations for Merchants?
Providing Choice
Merchants are now obligated to offer multiple options to their customers regarding receipts:
– No receipt : Customers can choose not to receive a receipt at all.
– Paper receipt : If the customer wishes, they can still request a paper receipt.
– Digital receipts : Merchants must offer the possibility of sending the receipt electronically, for example via email or SMS.
If your customer chooses the third option, be aware that you are subject to strict obligations regarding the protection of personal data, which we will discuss later.
The Issues of Dematerializing Receipts for Personal Data Protection
The dematerialization of receipts can lead to additional processing of personal data, particularly to enable the receipt to be sent by SMS or email. This therefore involves the collection and storage of information such as consumers’ phone numbers and email addresses.
It is in this context that the CNIL ensures that dematerialization practices comply with data protection principles and consumer rights.
What Is the Role of the CNIL?
The Commission Nationale de l’Informatique et des Libertés (CNIL) is the French regulator of personal data. It supports private and public entities in implementing their compliance with personal data protection.
The CNIL receives and handles complaints from individuals and has control powers, whether on-site or online. It can require an entity to regularize its processing through a formal notice or impose sanctions, such as fines.
Dematerialized Receipt: Rules to Follow According to the CNIL
Informing Customers About the Use of Their Data
Merchants must inform their customers clearly and transparently about the use of their personal data. This can be done in two ways:
– Brief information at the checkout : Display a brief explanation at the checkout so that customers are immediately informed.
– Providing access to complete information via QR code**: In addition to this first level of information, a QR code can be provided that customers can scan to access detailed and comprehensive information on how their data is processed.
Limiting Data Collection
If the merchant decides to send the receipt in a digital format, they should favor solutions that limit as much as possible the collection of personal data, or even avoid it altogether.
For example, retrieving the receipt via scanning a QR code only requires the collection of essential data to establish the connection.
The CNIL even encourages the development of these techniques and recommends using this approach.
However, if personal data is collected, it is essential that it is adequate, relevant, and limited to the predefined objectives.
Limiting Data Retention Periods
The retention period of personal data must be determined in light of the purposes of processing and any applicable legal obligations. Generally, laws do not specify a specific retention period. Therefore, the data controller must determine this retention period.
There are different data lifecycle stages to be aware of:
– Active database retention: Data is retained and accessible to respond to the processing purpose in the context of current and immediate use.
– Intermediate archiving: When data is no longer necessary for the processing purpose, it can be stored and made accessible only for generally administrative needs (litigation, accounting, fraud…).
– Final archiving: Data is retained long-term for legal or historical reasons but is no longer used in current operational processes.
To assist you, the CNIL has developed a practical guide on retention periods.
Securing Data Access
It is essential to ensure data security by implementing robust protection measures to ensure their integrity, availability, and confidentiality.
Moreover, it is crucial to avoid their disclosure to unauthorized third parties by ensuring that the data is only accessible to authorized individuals.
Facilitating the Right to Object to the Reuse of Contact Data
If contact data is collected during the issuance of a digital receipt, subscribing to commercial communications must not be automatic.
It is important to allow customers to give their consent or easily object to the reuse of their contact data, especially for sending commercial communications about their products/services. Merchants must offer clear and accessible means for exercising this right, such as opt-out options during data collection or unsubscribe links in commercial communications.
This ensures that customers can control the use of their personal data.
📌 Note that sharing personal data with commercial partners is always subject to the customer’s consent.
Neostore as a Solution for Complying with Data Protection Rules in Stores
Neostore allows the dematerialization of receipts directly into customers’ wallets. The solution offers the possibility of creating a customer account without collecting personal data. Then, it can be added to their wallet to find all their receipts. The customer then receives a notification indicating that their receipt has been added to their wallet. Perfect for easily tracking their purchases !
Moreover, Neostore integrates with various point-of-sale software, including:
– Cegid
– YOS
– Yocauda
– Bilieve
Limit Personal Data Processing Without Losing Contact with Your Customers**
Neostore offers an innovative platform using technologies that minimize personal data processing without losing contact with customers.
The platform allows the customer to simply present a unique and confidential code via their wallet to identify themselves at checkout, without having to share personal data.
As a bonus, customers can sign up and log in using the “Apple Sign-in” feature with the “Hide My Email” option, ensuring additional protection.
Keep Control of Your Storage
Neostore does not store customer data but transmits it directly into the merchant’s system or CRM tool (Cegid Retail, Salesforce, etc.). This approach allows control over data storage and limits duplication.
Minimize Personal Data Processing
The tool allows merchants to collect only the necessary data to achieve their objectives without imposing specific data collection.
Easily Collect Customer Consent
The platform facilitates the collection of customer consent through opt-in checkboxes and relevant information notices. The information necessary to comply with privacy regulations is provided transparently, with an information model available for merchants.
It also facilitates the exercise of customers’ rights over their personal data (modification, deletion, objection, etc.) directly in the wallets.
