How to protect your data when shopping

man holding phone and paying online with credit card

Do you know exactly how much of your data is being collected, by who, and for what purpose? Our data protection experts discuss the risk when shopping – both online and in-store. 

Online shopping scams

Many people have been tricked into buying products that either don’t exist or don’t match their expectations. So it pays to look for the warning signs. These include:
  • Prices that seem too good to be true. Especially for designer and high-value products
  • Bad website design
  • Limited or no contact options (also beware if the email address is a Yahoo or Gmail account, rather than a corporate one)
  • No social media presence
  • Strange URLs with unnecessary words or characters or an unusual spelling. A reputable retailer will tend to keep its web address simple.
Buyers should also be aware of some of the most common shopping scams. Particularly when people are anxious, and products are in short supply. For example, during the early days of the coronavirus pandemic, there was a spike in online shopping scams with people ordering protective face masks, hand sanitiser and other products which never arrived. Shoppers should also look out for website pharming scams where cybercriminals spoof the site of a reputable retailer. The purpose of these sites could be to steal your money or personal data when you sign up or make a purchase.

Shopping data breaches

Even when you buy from a reputable retailer, this doesn’t mean you are safe. Poor security processes can make it easy for hackers to access a vendor’s systems and steal your personal and financial information. 

For example, the ICO fined Dixons Carphone half a million pounds for “systemic failures” in the way it safeguarded its customers’ data. As a result of this lack of care, an attacker installed malware on 5,390 cash registers at Dixons Travel and Currys PC World stores and put at least 14 million people at risk. This data breach left customers vulnerable to financial and identity fraud, and it is likely to have caused distress to many people. 

High street stores and personal data

Most of us have been there. We are in a shop, just about to pay for our purchases or sort a refund when the assistant asks for “a few details”; usually our full name, home address, and email. And, many of us will hand over this information without understanding why.

But the shop doesn’t need your details. Even television retailers, who previously had to request these to send to TV Licensing, no longer require this info from you. So you are entirely within your rights not to hand it over. 

Even if you ask for a refund, unless the store’s return policy explicitly states that you must provide this information (and most of them don’t), they cannot force you to do so. And, if the policy does declare that it needs your personal information, you should query why with a manager as this is not a legal obligation.

Crucially, with retail data breaches becoming a frequent occurrence, we should all think very carefully about why and what we need to share. Not least because cybercriminals don’t just care about our financial details – they can also cause havoc with our personally identifiable information. 

Facial recognition technology

Shopping centres and stores around the UK are using facial recognition tech. According to reports, Meadowhall shopping centre in Sheffield and Manchester’s Trafford Centre have both trialled the technology. An article in the Guardian also shared how a supermarket in Aylesbury used the tech to combat shoplifting. 

Consequently, there are concerns that millions of innocent shoppers could have had their faces scanned without knowing about it. And, while many people don’t understand the fuss (why does it matter if you are not breaking the law?), there are profound implications.

For example, algorithms have been shown to identify white people better than black people. And Big Brother Watch – a British civil liberties and privacy campaigning organisation – described how one black schoolboy was “swooped by four officers, put up against a wall, fingerprinted, phone taken, before police realised the face recognition had got the wrong guy”. This was surely a seriously stressful and upsetting experience. 

What’s more, while retailers currently appear to be interested in facial recognition as a means to combat theft, in our digitally interconnected world, it’s easy to imagine how it could be used to target shoppers with products they have shown an interest in. And, while there are said to be sophisticated systems in place to protect privacy, the Information Commissioner’s Office (ICO) has said that it is “deeply concerned” by facial recognition software.

At Keller Postman UK, we support clients who have experienced GDPR violations because of facial recognition software and algorithmic and automated decision-making processes.

Find out more.


Keeping your data safe

In most instances, shopping (online and off) is perfectly safe. But the risk does increase if you do not know what to look out for. At Keller Postman UK, we recommend following these handy tips to protect your financial and personal information:

  • Look for third-party reviews or get recommendations from people you trust to make sure an online retailer is reputable 
  • Research an unfamiliar product or brand with terms like “scam” or “complaint” 
  • Check that the payment page is secure (is there a padlock in the browser frame, and does the page address start with https://)
  • Never pay by bank transfer into a seller’s bank account unless you know and trust them 
  • Read delivery, exchange, refund and privacy policies carefully. If they are vague or non-existent, don’t risk it
  • Don’t buy anything online via an unsecured Wi-Fi connection such as a hotspot in a café. Instead, make sure you are connected via your secure Wi-Fi or a 3G/4G connection 
  • Know that if you pay by credit card/PayPal, you are afforded greater protection
  • Choose, use and protect your passwords carefully and use a different password for every online shop in case your details get hacked 
  • Keep software and virus protection up to date
  • Logout after you’ve finished your shopping session 
  • Keep an eye on your bank and credit card statements to see if there is anything you don’t recognise
  • Always question why a store needs your information. And, if you are in doubt, don’t give it to them
  • Be vigilant against online shopping scams (see above for tips)
  • Be smart. If a deal looks too good to be true, it probably is.

If you have been the victim of a shopping data breach, or if you are concerned that facial recognition software has breached your GDPR rights, contact us to find out how we can help. Our initial advice is completely free, and there is no obligation to process. 

Contact Keller Postman UK’s expert data breach lawyers to discuss a data breach claim.

Share this article: