EDPB recommends collecting consent to store credit card details for future transactions

Consent is the 'sole appropriate legal basis'

In the EDPB's view, consent 'appears to be the sole appropriate legal basis' for storing credit card details—not only due to the increased risks to consumers in the event of a data breach, but also as a matter of putting the consumer in control of their data. The EDPB therefore recommends that 'the consent of the data subject should be obtained before storing his or her credit card data after a purchase' for any future transactions. The EDBP is therefore taking the same position that the French Council of State had taken in its judgment of 10 December 2020 (see our previous alert on that judgment here).

As a reminder, the standard of consent under the GDPR is strict. Consent cannot be presumed, nor can it be a precondition for the provision of goods or services. For consent to be valid under the GDPR it must be freely given, specific, informed, and unambiguous. Consent must also be delivered by a clear affirmative action, such as a through a checkbox that cannot be pre-ticked. Consumers must also have the right to withdraw their consent as easily as they gave it.

Why not legitimate interest?

On legitimate interest, the EDPB explored the three elements of legitimate interest—(1) identification and qualification of the interest; (2) the need to process personal data for such and interest; and (3) the performance of a balancing test which falls in favour of the retailer—and concluded the test fails on the second and third limbs.

On the test of necessity (the second limb), the EDPB considered that the storage of credit card data to facilitate future purchases 'is not evident' to pursue the controller's legitimate interest. Instead, any future purchase is a matter of choice for the consumer and should not be 'determined by the possibility to realize it "in one click".'

On the balancing test (the third limb), the EDPB—having recalled its previous guidance relating to the 'highly personal nature' of financial data in the context of data protection impact assessments—determined that the risk of harm to consumers in the event of a security breach of credit card data would take precedence over the controller's commercial interests. Additionally, the EDPB stated that consumers would not reasonably expect the automatic storage of their credit card details beyond what is necessary for the initial transaction. Accordingly, the EDPB concluded that the balancing test would not be made out in favour of the controller.

Scope of the Recommendations

It is worth noting that the Recommendations do not apply to all scenarios. According to the EDPB, the Recommendations do not cover payment institutions operating in online stores or public authorities. Additionally, the Recommendations are not relevant where credit card details are stored to comply with a legal obligation or to establish a recurring payment, for example as part of a subscription to a music or movie streaming service.

Comment

The Recommendations will certainly require many online retailers to revisit their current practices. Online retailers must ensure that they do not automatically store credit card details at checkout. Instead, consumers must be given a genuine choice when initially providing their card details as to whether they wish to store the credit card information for future purchases.

Online retailers should also ensure that they correctly manage user preferences. If a consumer withdraws their consent for a retailer to store their credit card details, the data should be deleted without undue delay, unless there is another legal ground to store the data.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird's previous alerts, please check out our Payments InFocus webpage here.