You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Deep down, I guess we all know that shops and websites are constantly harvesting and using data about our purchases, but found it a bit disconcerting to just now get an email from B&Q asking me to review something I bought in store using the same card (without leaving any other details, obvs).
And yes, having checked their 'privacy policy', it seems they reserve the right to marry up my card details for a contactless payment with contact details left for an online purchase a couple of years back..
Are they all at this - can't remember ever getting contacted because of a particular card I used to pay for something in store...?
It's not something that bothers me in the slightest. I currently have 9040 unread emails, don't really care where they came from.
Edit : Although if I've specifically opted out of receiving communications then I do get a bit miffed.
I guess so, just was slightly unexpected that they were scraping card data from the tills and linking it to an online a/c.
Hamster error
Yep, common now. Would you like us to email you a receipt?
Apple have been at it for years. The Manhattan Apple store "knew" me in 2010 when I'd previously only shopped in the Norwich Apple store.
1) Once you work out how the data can be linked then it is easy to have an automated process that uses that data linkage to perform a task.
2) The time consuming bit can be trying to determine that data lineage and data map in a reliable way.
3) The clever bit is working out if there is any value in using the data.
Lots of companies do step 1 because they have invested in step 2 without ever checking step 3
Amazing - I have used my bank card to withdraw money from cash machines across the globe which were owned and operated by companies didn't know and never dealt with but amazingly I could still withdraw cash out of my little old bank account in the UK.
Normal - My bank card works
The only difference between amazing and normal is your expectation. I am still (a little) impressed with the way the banking system has managed to work together to let this work so seamlessly without the end user having to do anything clever.
Almost certainly in breach of gdpr. Companies rely on folk not knowing their rights and not complaining when their data is abused.
I have had all sorts of companies censured for gdpr breaches from local lawyers to the nurses regulatory body the NMC . That was a particularly egregious breach as i had no choice in giving them my data and they then sold my data without my consent
I guess so, just was slightly unexpected that they were scraping card data from the tills and linking it to an online a/c.
I'd be surprised if with B&Q their till, online and stocks systems aren't actually a combined thing by design.
Almost certainly in breach of gdpr
Their terms should all be freely available, wouldn't be too hard to figure out if there's a breach. Edited, away on a Google rabbit hole.
Not 100% what the search term would be for this specific topic on the ICO/regulations. (E-receipts and post sale communications?)
How is using the data for the purpose they say it was gathered for breach of GDPR?
having checked their ‘privacy policy’, it seems they reserve the right to marry up my card details for a contactless payment with contact details left for an online purchase a couple of years back
Ask to be removed from mailing lists if it bothers people, but personally I think the benefits of companies having my info and using it for legit purposes outweighs the minor annoyance of being asked to review something or do a survey from time to time.
that they were scraping card data from the tills
That sort of implies an under-handed way of collecting the till info in the first place - the reality is every till transaction is stored in a central DB (or multiple) so cross-referencing till purchase data with online purchase data would be trivial
How would they know that an in-person customer has consented to this use of their personal data? In order for their system to work they are processing personal data on the assumption that till customers have already consented elsewhere to them doing so. What’s next? Facial recognition systems to track cash customers and link their purchases?
How would they know that an in-person customer has consented to this use of their personal data?
I suspect:
contact details left for an online purchase a couple of years back
will have had a consent element to it that OP could have opted out of if they wanted to but was buried among loads of other stuff. Tick here to agree to T&C, etc. OP said they checked privacy policy and it's in there too.
In terms of knowing how an in-person customer has consented. Good question - that's a technicality I don't know the answer to. If it was happening live (thanks for purchase, I see you're on our database would you mind if we send you an online survey) I suspect something like the till reads the cc number and marries to database of customers. So the process of searching uses the card info just received and I suppose an in person customer who has not consented or refused that might claim they used it anyway. Other way round - here's our DB of consenting customers, let's see what else they've bought recently is only looking for a match between XYZ on the customer DB and XYZ on the transactions DB and so is that really using the non-consenting customer's data if it's in essence skipped over.
But you can object and have it removed, companies make that very easy now too. But as I said, the use for legit purposes (I had one recently for a product recall) to me outweigh the annoyance of being asked to leave a review for 3 lengths of pipe lagging or whatever.
Had an interesting discussion with Mum along these lines at Christmas. She was complaining about companies 'stealing her data' with cookies and then selling it for adverts of products she didn't want.
I pointed out that the adverts she was seeing were mostly pretty tailored to what she wanted compared to the random stuff on TV. She agreed that there were some very useful adverts on the computer but still was angry that the companies stole her data to know what she wanted and then give her targeted adverts. When I asked her what the down side of them having her data it turned out mostly to be 'the principle of it all' followed by some vague accusations of identify fraud, human rights and the evil of AI duplicating her.
I think that in order for this system to work they have to process the card number (which is personal data) or a repeatable hash of the card number (which is also personal data) as collected by the till in order to test it against the card numbers or repeatable card number hashes they’ve collected in their systems. I think they need consent for that processing; I don’t think you can speculatively do it to check whether you have consent from that person at the till.
is it though?
Card data in itself is just a 16 digit number. Sure, if you have access to the DB that tells you who they are, where they live, etc., then it's personal data
If no other data is stored just that "card number XYZ" bought something, all you need do is look for a 16 digit number on your consenting customer database for that number on the till log.
If N - then that data on the till log isn't used.
If Y - then as per T&C they can ask the system what card number XYZ bought, link the data together, and then ask Mr OP what he thought of his paint or whatever?
Almost certainly in breach of gdpr.
Go on, tell us which section of the regulations are being broken? I think I see as many "you can't do that because of GDPR" claims based on no considered information as businesses "insisting" on consent when its the wrong lawful basis.
Card data in itself is just a 16 digit number. Sure, if you have access to the DB that tells you who they are, where they live, etc., then it’s personal data
Card data is personal data. The definition in Europe is all encompassing, BUT of course they need to process the card data in order to get payment there's no law against processing the card number. It doesn't seem unreasonable to me that they have "customer accounts" in their system, or that card numbers (or hashes of card numbers) are stored in those accounts. If someone uses a card that has previously been used it makes perfect sense to me that the transaction details are stored against the customer account that used the same card previously. There will be many justifiable reasons for that - preventing fraud, better customer experience, accepting returns without a receipt, helping them understand who browses online but buys in store, etc. All likely "Legitimate interest" reasons for the data processing under the regs. The online account T&Cs, Privacy Notice etc will likely have highlighted (or possibly even explicit consent) for them to do this.
in order to test it against the card numbers or repeatable card number hashes they’ve collected in their systems. I think they need consent for that processing; I don’t think you can speculatively do it to check whether you have consent from that person at the till.
I think you are wrong: 1. I don't think they actually need consent at all to process their card details (its a massive GDPR myth); 2. that IF consent was required (which it may not be - depending on their view on Legitimate Interest), it is for the sending of emails to ask for a review. By the point the system does that, the transaction record is already in an account with whatever flags it needs set to send those emails. The aim of GDPR is not to stop businesses from doing business.
What Poly said.
You do have the right to contact the individual companies and ask them to remove your details from their system if it bugs you that much but then next time you use a card to buy from them you are giving them your details again...
Anything that can identify an individual, directly and/or indirectly is personal data.
Card data is personal data.
Define card data? I don't think it's as clearcut. If it CAN be used to indirectly identify but that means / ability to ID is removed is it still personal data? It's just a list of numbers, with no (available) meaning behind it. To me card data is the mapping of number to name, address, email, DoB, whatever. I'm just talking about a one column list of numbers of cards that bought something.
I was recently needing swipe card data at work, you swipe to access the site and we were looking at onsite data per day for planning some office refurbs (how many desks do we need in operation per day, so we don't refurb too many at the same time)
Security supplied to me with individuals names removed, I just know that card X was typically on site 4 days a week, Y 3 days, and so on, and by analysis can work out Tuesday and Weds are the busiest days and Friday the least, and that is we have N desks available that will cover any typical on site number plus some margin.
That data could be used to identify individuals if you had the mapping but our DPO was satisfied that card numbers alone did not.
Having a right to process data for one purpose does not extend automatically to all purposes, as I understand it. I would not expect card details from a transaction to be used for extending an advertiser or political viewpoint profile, for example. I would expect them to be used for the transaction and related purposes such as perhaps fraud prevention and processing product returns and refunds.
I don’t think they actually need consent at all to process their card details (its a massive GDPR myth);
I think the GRC here isn't GDPR, it's PCI-DSS. Anyone processing card payment has strict rules they have to follow such as the principle of "need to know" and breaching them can result in a hefty fine and Visa et al refusing to allow them to act a merchant.
@theotherjonv - GDPR is crystal clear your card number: 1234 5678 9012 3456 IS Personal Data. A hash of that hard number: a1b2c3d4 IS Personal Data if there is a way to get from the hash to the person. By the fact that using the card resulted in an email - it MUST be possible to link the two and therefore it IS Personal Data. the full definition is:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
People often try to deny stuff is "personal data" when actually they mean "special category data" or "stuff people care about keeping private" - rather than trying to present something as not personal data, it is usually better to simply accept it probably is and therefore make sure you process it within the law.
@zomg - you are right that just because they have details for one purpose does not mean they can use it for another purpose. Here's what the relevant part of their Privacy Notice says :
"When you use your payment card to make a purchase with us (either instore or online), we will link details of that purchase with other purchases made with the same payment card. (For security purposes, we don’t keep your payment card details for this purpose.) We use this information to better understand how our customers purchase from us. If you join the B&Q Club, or if you opt in to receiving marketing communications from us, we will link details of your purchases with us (including, if you have joined the B&Q Club, details of purchases made before you joined the B&Q Club) with the other details that we hold about you, and we may use this information to make our communications with you more relevant. You can opt-out of this use..."
There's then a big table that includes listing asking you for reviews as "Legitimate interests".
Define card data?
A per Polys posts. It doesn't matter its card number. What matters is that the store had the data to take a unique reference and tie that to the OP. That makes it personal data.
Am I the only one who really doesn’t give much of a shit what companies do with my data. I’m not that interesting and rarely make purchases beyond a couple of site for clothes and footwear. What’s the worst thing they can do with the data? Comedy and serious answers welcomed.
Thanks. I am a bit smarter this evening than I was this morning.
Am I the only one who really doesn’t give much of a shit what companies do with my data. I’m not that interesting and rarely make purchases beyond a couple of site for clothes and footwear. What’s the worst thing they can do with the data? Comedy and serious answers welcomed
Nah, most dont give a crap beyond being occasionally a little annoyed.
Am I the only one who really doesn’t give much of a shit what companies do with my data.
Nope, although I do derive enjoyment from how wound up and belligerent it seems to make people.
Am I the only one who really doesn’t give much of a shit what companies do with my data.
Nope, me either. And no practical way from preventing them getting it these days.
Thing that annoys me is companies like google striking deals with companies like b&q and card processors to link up purchasing data with location, browsing, and other such stuff to make ads slightly more targeted and relevant sometimes.
That’s my data. Pay me!
I think the GRC here isn’t GDPR, it’s PCI-DSS. Anyone processing card payment has strict rules they have to follow such as the principle of “need to know” and breaching them can result in a hefty fine and Visa et al refusing to allow them to act a merchant.
its fairly easy to bypass this by storing a hash of the cardnumber (or an encrypted hash) and looking up on that. No actual card details saved but easy to join references using the payment token, and completely legit under PCI-DSS
to make ads slightly more targeted and relevant sometimes.
Would you prefer less relevant advertising?