icon

Mandatory address title for online purchases: permitted or not?

When shopping online, customers are often required to choose an address title, such as “Mr” or “Ms”, prior to placing an order. The Court of Justice of the European Union recently ruled that this obligation when making an online purchase may be in breach of the General Data Protection Regulation (GDPR). What does this mean for online shops and the ordering process?

Is an address title really necessary?

This case involved SNCF Connect, a subsidiary of the French railway company SNCF that sells train and transport tickets. Customers had to provide an address title when making a purchase. French association Mousse took the matter to court, claiming that this obligation did not comply with the AVG. The complaint was initially rejected by the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL). Mousse then turned to France’s highest administrative court, which in turn referred preliminary questions to the Court.

The court then held that processing an address title for personalised communication based on gender identity is not necessary for:

  1. the performance of an agreement. Indeed, a title of address is not necessary to enable the proper performance of a rail transport agreement.
  2. the legitimate interest of the railway undertaking. SNCF Connect considered direct marketing to be a legitimate interest for requesting address titles. However, the processing of the address title must be necessary to pursue that interest, which is not the case here, partly because the processing of gender identity is not strictly necessary for commercial communications.

Data minimisation

Besides the lack of a legitimate basis, the principle of data minimisation also plays a significant role. SNCF may not process more personal data than is strictly necessary for the purpose for which it is collected. Thus, the mandatory entry of an address title without clear necessity violates this principle. In this case, SNCF Connect could easily have used inclusive forms of address unrelated to gender identity, such as “Dear Customer” or “Dear Traveller”.

What are the consequences?

The Court’s ruling has direct implications for online shops in the EU. If personal data are compulsorily requested for a certain purpose without being necessary to achieve that purpose, there is a breach of the AVG. Companies must therefore look critically at personal data that is collected. If a personal data is not necessary, it should simply not be compulsorily requested.

Tips for online retailers

What can web shops learn from this? Three practical tips:

  1. Think critically about what data you really need. In many cases, processing a name, address, e-mail address and payment information is sufficient for an online purchase.
  2. If you do want to incorporate an address title, for example to tailor the salutation of emails to the customer’s needs, make this field optional. Don’t force customers to make a choice.
  3. Have the ordering process scrutinised by a specialist to avoid violating the AVG and other rules.

Conclusion

The mandatory entry of an address title may seem like a minor detail, but without necessity it can have unwanted consequences. This ruling underlines the importance of data minimisation; personal data are only lawfully processed if the processing is necessary for the purpose to be served.

Sure if your webshop is AVG-proof? Then feel free to get in touch.

Any questions?

This field is for validation purposes and should be left unchanged.
Mandatory address title for online purchases: permitted or not?

Bo van Maaren's recente blogs