Did iZettle receive my email address from Monzo use?


(Heather) #1

I’ve just used my Monzo to make a purchase at a local cafe. The machine they used was iZettle and just after receiving the ping that $3.50 had come from my Monzo I also received an email from iZettle (whom I’ve never sent my details).

The email is attached.

Has this happened to anyone else? How did iZettle and this cafe get my details? Surely GDPR covers this sort of thing…


(Jonathon) #2

I’ve never seen that, but from a GDPR point of view this is asking you to opt in, so it complies in that sense.

They would then need to delete any data that they have no reason to retain.


#3

I am not sure it’s possible for a retailer to get email address attached to Monzo account just by using card with them…

I must say it’s weird would like to know how they got your email address.


#4

You didn’t have to enter your email to use their WiFi or anything did you?


(Tony) #5

Have you provided your email to receive a receipt from another retailer using izettle?

This link explains more: https://www.izettle.com/gb/help/articles/2258543-how-izettle-processes-contact-details-of-cardholders


(Jonathon) #6

iZettle will not use your contact details for any other purpose, and will not share them with anyone else, without obtaining your consent first.

Presumably by not responding to the email, iZettle will not give details to the retailer.

I guess it’s a service iZettle offer? “Use us, and we may get you new marketing customers”


#7

Great link, the relevant bit is:

When buying something from a seller who uses iZettle, you can choose to have a receipt sent to you via email or text message.

If you provide your email address or mobile number, iZettle will remember your details for the next time you buy something from a seller using iZettle, using the same payment card. This is regardless of whether you’ve previously bought something from this seller or not.

This means that your email address or mobile number will be pre-filled in the receipt view for your convenience the next time you buy something from a seller who uses iZettle.


#8

iZettle is very opaque in how it deals with customers’ emails. With all my bad attitude towards Monzo at the moment even I can’t imagine they get it from them.

I have in the past received an email receipt from iZettle for work that a locksmith carried out. I am absolutely certain that the locksmith didn’t know my address, and that it was my first time paying with iZettle. Until this day it’s an absolute mystery to me how they got hold of my email address…


(Alex Sherwood) #9

Assuming that retailers don’t abuse this, I quite like it. I always ask for a digital receipt & it’s great not to have to wait for the person at the counter to type it into their POS first. GDPR should prevent any misuse.

(To be clear, I’m 100% sure that Monzo didn’t give the retailer / iZettle access to your email address. Their privacy policy is here.)


#10

They say “If you want us to rectify, update or remove your contact details, please get in touch with us at help.uk@izettle.com” so perhaps email them to stop them giving your email to other retailers on iZettle?


(Hugh Wells) #11

Just to clarify, we don’t send any of your Monzo account information back to a retailer when approving a transaction :+1:


(Marta) #12

In their Privacy Policy, available here: https://www.izettle.com/gb/privacy-policy

If you are an End-customer, iZettle may share your data with the Merchant from which you made a purchase.

In other section, they say they literally collect everything about buyer (it’s a bit foggy as they do different paragraphs for Merchants and End Users, but yeah, they suck up data about users like vacuum).

Izettle can link purchases based on card details.

All three things combined mean one thing for me, @heatherbaden. you made purchase from another Merchant in the past, where your email had to be known. On the next purchase from this cafe, izettle found your card… found your profile, suggested new merchant “hey, we can try to opt in this user for marketing crap for you” aaand that’s how this email was born. :sweat_smile::laughing:


#13

Yes, my interpretation is the same as @Avishai

If you have given your email once, or one iZettle merchant knows your email, any time you use your Monzo card again iZettle passes on your email to the next merchant, unless you go thru the hassle of contacting them to opt out.


(Heather) #14

Thank you @Avishai , I’ve written an email to thisisnotok@izettle.com their “Consumer Ombudsman” requesting that they remove my email from their database.

What I don’t understand is how it is OK for them to send my details on. Sure, at some point while using my Monzo a merchant with iZettle probably asked if I wanted my receipt sent by email - and being environmentally conscious I will have said yes. I’m 100% sure I’ve never had the conversation “if we send you this receipt via email, is it OK that iZettle save your details and send on to any other iZettle merchant you use this card with” :roll_eyes:

Thanks all for your help! And sorry Monzo for thinking you passed info on. :slight_smile:


(Heather) #15

Thanks @HughWells ! I’ve emailed iZettle and will be sure to write in more forums that they are doing this.


#16

I have been looking into this a bit more, and I really really wonder how this qualifies as “consent”. Consent needs to be informed, and if I need to read a bit on their website you cannot possibly argue this is informed consent. It also needs to be specific.

See here for the ICO’s guidance on what consent means:

@heatherbaden very curious how they justify this, and what they consider their lawful basis for sharing this information. Here are a couple of questions I’d ask them:

  • What is the lawful basis under which you shared my information with {merchant name}?
  • If the answer is “consent” (and I cannot begin to imagine any other lawful basis would ever apply here): When and how did I give my consent?

If you are not happy with the answer consider a complaint to the ICO.


(Jonathon) #17

And with GDPR now it needs to be explicit consent. However it allows previous consent to be used (90% of those annoying emails we received actually weren’t necessary by the law) which is probably how they can continue to do this now, but probably won’t be able to going forward.


#18

Of course pre-exisitng consent can be used. But only if it complied with the Regulation. (I would say the Regulation only codifies what respectable businesses should’ve been doing for years.) When the consent was given is fairly irrelevant. What matters is that they comply with the Regulation.


(Jonathon) #19

Yes, but previously explicit consent was different (eg. they could pre-tick boxes for consent, whereas now you can’t), which means previous consent was more cloudy than it is now.


#20

Yes, but that’s the point: If the way in which a business sought your consent only complied with previous regulations (e.g. used pre-ticked boxes) then they need to seek new consent. (Edit: oh, and they needed to seek it before the date that GDPR took effect. If they didn’t receive your consent by that date they needed to delete your personal data.)

But if their old “consent-mechanism” surpassed the regulations applying at that time, and already complied with the (not yet existing) GDPR (because they wanted to do right by their customers, rather than obey the letter of the law) then they can continue operating on the basis of that pre-existing consent.