We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


Online purchase ‘guest’ check-out a legal right

27 Jun 2024 data law Print

Online purchase ‘guest’ check-out is a legal right

The data-protection authority in Finland recently imposed a fine of €856,000 on online retailer Verkkokauppa.com for storing customer data for an unlimited time period and forcing customers to create an account for purchasing items online.

A Pinsent Masons briefing note on the case points out that Verkkokauppa.com had not specified the storage period of the data collected for the customer accounts of its online shop.

Anu Talus, the Finnish data-protection ombudsman, found that customer accounts data had been stored indefinitely, unless the customers requested their data to be deleted

The case had come to the authority’s attention after a customer complaint.

The amount of the fine relates to the turnover of the business.

Create account

Verkkokauppa's practice of requiring customers to create an account to make online purchases violated data-protection law, especially the EU's General Data Protection Regulation (GDPR), the regulator found.

According to Talus, customers must have the option to check out from online shops as ‘guests’, leaving only the minimum of personal data that is necessary for payment and delivery.

"Large GDPR fines have tended to flow from security incidents and cyber-attacks that have led to personal data being compromised and made available on the dark web," Malcolm Dowden, a data-protection expert at Pinsent Masons, said.

"Examples include the £20 million imposed by the ICO on British Airways in 2020 and the £4.4 million imposed on Interserve in 2022. However, data-protection authorities also have power to impose substantial fines when the routine practices of a business involve violation of data-protection laws."

The Data Protection Ombudsman also ordered Verkkokauppa.com to specify an appropriate storage period for customer-account information and rectify its practice of mandatory registration.

Indefinite storage

Nicola Barden of Pinsent Masons said: "The fine demonstrates why it is important for controllers to consider data-protection laws throughout their customer journey and beyond.

“Indefinite storage of personal data will comply with data-protection laws in very limited circumstances. It also creates additional risk for controllers if a data breach was to occur, and makes responding to data-subject rights requests more challenging."

Verkkokauppa.com is a Finnish online retailer founded in 1992. It sells information technology, consumer electronics and household appliances, and gets over 80 million visits annually.

The company is planning to appeal the decision.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Copyright © 2024 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.