EDPB issues new guidelines on storing credit card data for future purchases | Latham & Watkins LLP



Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

Online shopping has exploded in recent years. In 2020, the European statistical agency Eurostat valued that 7 out of 10 internet users made online purchases within 12 months. The European Central Bank find that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (last year’s statistics are available) year-on-year to a total value of 162 trillion euros, including 45 billion transactions processed by retail payment systems worth 35 trillion euros. This growth likely increased during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On May 19, 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating other online transactions (the Recommendations) to process the vast data processing operations behind those transactions. The recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating that customer’s future purchases. The EDPS has expressly excluded from the scope of the recommendations the storage of credit card data in connection with current contracts, such as subscription services, and the activities of payment institutions operating in online stores. The recommendations only refer to credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is not clear whether the EDPB might have similar expectations of online retailers who store other payment card or direct debit data for the same purposes.

The recommendations are not legally binding, but provide a brief exploration of the EDPS assessment of the legal bases available to the online retailer. The EDPS concludes that, in his view, the only appropriate legal basis for such processing is consent under Article 6 (1) (a) of the General Data Protection Regulation 2016/679.

The appropriate legal basis for processing

As with any data processing, an online retailer (acting as a controller) must have a valid legal basis under Art.6 GDPR to store credit card data, including in the aim to facilitate future purchases. The recommendations examine and reject some legal bases commonly used in this context, with the EDPS concluding that each of the following is probably not appropriate:

  • Contract (Article 6 (1) (b)). Although the processing of credit card data is necessary to perform an initial goods / services payment contract, the Recommendations state that the storage of credit card data to facilitate further transactions is not strictly necessary for the performance of the original contract for the supply of goods / services that the customer has already paid for.
  • Legitimate interests (Article 6 (1) (f)). The EDPS notes that the ground of legitimate interests requires balancing the interests of the controller or third party against the interests and fundamental rights of the data subject, but makes it clear that he does not consider that the storage of data credit card cards to facilitate future purchases is necessary to pursue the legitimate interests of the online retailer. The EDPB believes that a consumer will decide whether or not he wants to make another purchase, whether or not he can do it “with one click”. In any event, the EDPS clarifies that the interests and fundamental rights and freedoms of the customer outweigh the legitimate interests of the online trader given the “highly personal character” of the credit card data and the serious impact on the client in the event of a data breach. . In addition, the EDPB notes that in its opinion, a customer would not reasonably expect their credit card data to be kept longer than is necessary to pay for the specific goods / services that they require. ‘He buys.
  • Legal obligations; public and vital interests (Article 6 (1) (c) to (e)). The Recommendations also confirm that such processing cannot be considered necessary to: (i) comply with a legal obligation (Article 6 (1) (c)), (ii) protect the vital interests of a natural person (Article 6 (1) (d))), or iii) to perform a task of public interest or falling within the exercise of official authority vested in the controller (Article 6 (1), point (e)) ).

Therefore, through a process of elimination, the EDPS concludes that the only remaining legal basis for the storage of credit card data for future purchases is consent under Article 6 (1) (a). Consent under GDPR is an extremely high standard (and is separate from PSD2 consent, as discussed in more detail. here).

The GDPR requires that consent be given freely, specific, fully informed and signaled by an unambiguous act. Concretely, this means that online retailers should provide a checkbox that is not pre-checked and clearly indicate how the credit card data will be used. Checking this box cannot be a precondition for the completion of the initial transaction. Consent should also be distinguished from any other consent given (as well as acceptance of the terms of use).

However, the EDPB does not address one important aspect of online retailing: Customers can often choose to complete a purchase as a registered or guest user. While the EDPB considerations clearly apply to customers (where payment data is not typically stored for future purchases), the act of registering with an online retailer is usually a contract in itself. . If the registered customer chooses to store payment data for future purchases, this storage is necessary to fulfill the registration contract between the retailer and the customer. In this case, it could be argued that the decision to use the service and have the payment data stored makes the storage necessary for the performance of the registration contract under Article 6 (1) (b). GDPR and, therefore, does not require consent under Article 6 (1) (a). Even if the registration does not constitute a formal contract, the provision of payment data for future purchases could be considered as a pre-contractual step at the request of the customer, which would also constitute a legal basis under Article 6, paragraph 1 (b) GDPR.

Next steps

Following the recommendation, online retailers that store customers’ credit card data for future purchases should seek consent for such processing and should consider how such consent can be implemented in accordance with any other consent related to payments and customers they are already getting. As with any data processing that relies on consent as the legal basis for processing, organizations should be aware that their customers have the right to withdraw their consent at any time and that this withdrawal should be free, simple and as easy for customers as it is. give consent.

Online retailers should keep in mind that Recommendations, which deal only with data protection issues, are one of the many considerations for online retailers that process credit card data. The major card systems impose a number of other requirements. For example, the Payment Card Industry Data Security Standards (PCI DSS) define a number of security protocols, including restrictions on the storage of certain data such as card verification values.

The recommendations underline that the EDPS considers it vital to foster confidence in the digital environment, in particular given the rise of electronic commerce in the wake of the pandemic. Online retailers should take note and watch for any further guidance in this space.

Latham & Watkins will continue to monitor and report on developments in this area.



Leave A Reply