Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

By Christian F. McDermott, Calum Docherty, and Victoria Wan

Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases within a 12-month period. The European Central Bank found that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (the last year statistics are available) year-on-year with a total value of €162 trillion, which included 45 billion transactions processed by retail payment systems worth €35 trillion. This growth has likely surged during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (the Recommendations) to address the vast data processing operations behind these transactions. The Recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating future purchases by that customer. The EDPB has expressly excluded from the scope of the Recommendations the storage of credit card data in relation to ongoing contracts, such as for subscription services, and the activities of payment institutions operating in online stores. The Recommendations only reference credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is unclear whether the EDPB might have similar expectations of online retailers that store other payment card or direct debit data for the same purposes.

The Recommendations are not legally binding, but provide a brief exploration of the EDPB’s assessment of the legal bases available to the online retailer. The EDPB concludes that, in its view, the only appropriate legal basis for such processing is consent under Article 6(1)(a) of the General Data Protection Regulation 2016/679.

The Appropriate Legal Basis for Processing

As with any data processing, an online retailer (acting as data controller) must have a valid legal basis under Article 6 GDPR to store credit card data, including for the purpose of facilitating future purchases. The Recommendations discuss and dismiss certain commonly used legal bases in this context, with the EDPB concluding that each of the following are unlikely to be appropriate:

  • Contract (Article 6(1)(b)). Whilst processing credit card data is necessary to fulfil a contract to pay for initial goods/services, the Recommendations state that the storage of the credit card data to facilitate further transactions is not strictly necessary for the performance of the original contract for the provision of goods/services that the customer already paid for.
  • Legitimate interests (Article 6(1)(f)). The EDPB notes that the legitimate interests ground requires balancing the interests of the controller or third party against the interests and fundamental rights of the data subject, but clearly states that it does not consider that the storage of credit card data to facilitate future purchases is necessary to pursue the online retailer’s legitimate interests. The EDPB reasons that a consumer will decide whether or not to make another purchase regardless of whether they can do so “in one click”. In any event, the EDPB states that the interests and fundamental rights and freedoms of the customer outweigh the legitimate interests of the online retailer given the “highly personal nature” of credit card data and the serious impact on the customer if there is a data breach. In addition, the EDPB notes that, in its view, a customer would not reasonably expect their credit card data to be stored for longer than is necessary to pay for the specific goods/services that they are purchasing.
  • Legal obligations; public and vital interests (Article 6(1)(c)-(e)). The Recommendations also confirm that such processing cannot be considered necessary to: (i) comply with a legal obligation (Article 6(1)(c)), (ii) protect vital interests of a natural person (Article 6(1)(d)), or (iii) perform a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e)).

Therefore, by a process of elimination, the EDPB concludes that the only remaining legal basis for the storage of credit card data for future purchases is consent under Article 6(1)(a). Consent under the GDPR is an extremely high standard (and is distinct from PSD2 consent, as discussed in more detail here).

The GDPR requires consent to be freely given, specific, fully informed, and signalled by an unambiguous act. Practically, this means online retailers should provide a checkbox that is not pre-ticked and clearly set out how the credit card data will be used. Ticking this box cannot be a pre-condition to completion of the initial transaction. The consent must also be distinguished from any other consents given (as well as the acceptance of the terms of service).

However, the EDPB does not discuss an important aspect of online retail: customers can often choose whether to complete a purchase as a registered user or a guest. Whilst the considerations of the EDPB clearly apply for guests (where payment data is usually not stored for future purchases), the act of registration with an online retailer usually constitutes a contract in itself. If the registered customer chooses to store payment data for future purchases, that storage is necessary to perform the registration contract between the retailer and the customer. In this case, one could argue that the decision to use the service and have payment data stored makes the storage necessary for the performance of the registration contract under Article 6 (1) (b) GDPR and, therefore, not require consent under Article 6(1)(a). Even if the registration does not constitute a formal contract, the provision of the payment data for future purchases could be regarded as a pre-contractual step at the request of the customer, which would also qualify as a legal ground under Article 6(1)(b) GDPR.

Next Steps

Following the Recommendation, online retailers that store customers’ credit card data for future purchases should seek to obtain consent for such processing, and should consider how such consent may be implemented in alignment with any other customer and payments-related consents it already obtains. As with any data processing reliant on consent as a legal basis for processing, organisations should be aware that its customers have the right to withdraw consent at any time and that such withdrawal must be free, simple, and as easy for the customers as giving the consent.

Online retailers should be mindful that the Recommendations, which address data protection issues only, are one of many considerations for online retailers that process credit card data. Major card schemes mandate compliance with a number of other requirements. For example, the Payment Card Industry Data Security Standards (PCI DSS) set out a number of security protocols, including restrictions on storing certain data such as card verification values.

The Recommendations highlight that the EDPB deems fostering trust in the digital environment vital, especially given the rise of e-commerce following the pandemic. Online retailers should take note and watch for any further guidance in this space.

Latham & Watkins will continue to monitor and report on developments in this area.