Retail stores collect far more personal data than most operators realise - from loyalty card enrolments and click-and-collect orders to CCTV systems and email marketing lists. This guide covers GDPR obligations for retail businesses across all key data categories.
Customer Purchase Data and Transaction Records
Every sale generates a transaction record: name, payment card details, purchase history, delivery address, and email receipt information. The lawful basis is contractual necessity (Article 6(1)(b)). Secondary use of this data for personalised marketing requires an additional lawful basis - typically consent or legitimate interests - separately from the transaction basis.
Retain transaction records for the period required by financial regulations (typically six to seven years for tax purposes), then securely delete them.
Loyalty Programmes and Card Data
Loyalty schemes collect points balances, redemption histories, tier status, linked payment cards, household profiles, and behavioural purchase patterns. Many retailers also link loyalty data to demographic information, location data, and browsing behaviour - creating detailed consumer profiles.
Using loyalty data for direct marketing requires a separate basis - usually consent under PECR. Your loyalty scheme privacy notice must disclose all data uses, sharing with third parties, retention periods, and member rights including erasure and objection.
CCTV in Stores: Retention Limits and Signage Requirements
CCTV is lawful under GDPR on the basis of legitimate interests (Article 6(1)(f)), but requires:
- Signage at all entrances identifying the operator and purpose
- Retention limits - the ICO recommends a maximum of 31 days for general security CCTV
- Access controls - footage accessible only to authorised personnel
- Legitimate Interests Assessment - documented justification
- No cameras in changing rooms, fitting rooms, or toilets - this is an absolute prohibition
Email Marketing Opt-In at Point of Sale
Collecting email addresses at the till is high-risk for GDPR compliance. Verbal opt-in is nearly impossible to document. Pre-ticked boxes and bundled consent are invalid. Best practice: use a clearly labelled opt-in checkbox for marketing emails separate from loyalty or receipt email requests, record the date and mechanism of consent, and include an easy unsubscribe mechanism in every marketing email.
Click and Collect Data
Click and collect orders generate name, phone number for collection notification, payment data, and order history - processed under contractual necessity. Where third-party order management platforms process this data on your behalf, a Data Processing Agreement is required.
Store Cards and Credit Applications
Store credit applications are often processed by third-party credit providers who are independent data controllers under GDPR. You must provide a clear referral notice at the point of application explaining that the customer's data will be passed to the credit provider under their own privacy policy.
Employee Data and Shift Records
Retail employment involves payroll records, shift patterns, attendance data, disciplinary records, and health information. Key considerations:
- Shift management software requires a Data Processing Agreement
- Till-level performance tracking must be disclosed in your employee privacy notice
- CCTV monitoring of staff must be disclosed in employment contracts
- Health data collected during absence management is special category data
Omnichannel Data: Linking In-Store and Online Behaviour
Linking in-store purchase data, loyalty card usage, and CCTV analytics with online browsing behaviour, email engagement, and digital advertising profiles is one of the most significant GDPR challenges for modern retailers. Consent is typically required for behavioural profiling that links physical and digital identity. Custodia can scan your retail website and identify which third-party trackers and analytics tools are processing customer data without adequate consent.
Data Breach Response for Retail Card Breaches
Under GDPR, a personal data breach must be notified to the ICO within 72 hours. Payment card breaches almost always meet the notification threshold. Your incident response plan must cover detection and containment, assessment, ICO notification, customer notification where high risk applies, and documentation.
Scan Your Retail Website
Retail websites often run dozens of third-party scripts, advertising pixels, and analytics tools processing customer data without adequate consent infrastructure. Scan your retail website free at https://app.custodia-privacy.com/scan - Custodia will identify every tracker collecting data from your site and highlight the highest-priority compliance gaps in 60 seconds.
Originally published at https://app.custodia-privacy.com/blog/gdpr-retail-stores
Top comments (0)