When Age Verification Goes Too Far: A GDPR Perspective

In the world of online shopping, we’ve all become accustomed to filling out forms and providing personal information. But when does data collection cross the line from necessary to excessive? A recent experience, shopping for my daughter’s birthday present, highlighted this issue and got me thinking about GDPR compliance and consumer rights.

The 26-Year-Old Shopper (Or Am I?)

Picture this: I’m browsing a well-known retailer’s website, ready to purchase my daughter’s birthday gift. As I proceed to checkout, I’m asked for my date of birth. The reason? To verify that I’m over 16 years old of age.

Now, let’s be clear – I’m definitely over 16. In fact, I’m well over 26. But something about this request didn’t sit right with me.

Why This Matters: GDPR and Data Minimisation

Under GDPR, there’s a principle called data minimisation. It means organisations should only collect personal data that’s necessary for a specific purpose. In this case, the retailer only needed to know if I was over 16 – not my exact date of birth.

A simple checkbox confirming I’m over 16 would have sufficed. Instead, they asked for information that’s both excessive and potentially valuable for marketing purposes.

My Small Act of Rebellion

Annoyed by this intrusive request, I decided to input a false birth date. According to their records, I’m now a sprightly 26-year-old. It’s a small act of defiance, but it highlights a larger issue: consumers shouldn’t have to choose between protecting their privacy and making a purchase.

The Marketing Opt-Out Test

I also opted out of marketing communications. Now, I’m curious to see if they’ll respect this choice. I use a separate email for these transactions, so it might take a while to notice if they ignore my preference as I consider this a junk email account and don’t check it unless there is a problem with my purchase. But it’s another test of their commitment to data protection principles.

Your Turn: Are You Collecting Excessive Information with regard to date of birth?

If you’re a business owner or involved in data collection processes, it’s time for some self-reflection. Are you asking customers for their date of birth when you don’t really need it? Here are some questions to consider:

  1. Do you need date of birth, age or just a confirmation they are over a certain age? Could you justify your choice if asked?
  2. Are you using age verification methods that respect user privacy?
  3. Have you reviewed your data collection practices recently to ensure GDPR compliance?
  4. Are you giving customers clear options to opt out of data collection that isn’t essential for their purchase?

Remember, under GDPR, you have an obligation to collect only the data that’s necessary for your stated purpose. Excessive data collection not only puts you at risk of non-compliance but can also erode customer trust.

Not sure whether you are collecting the right amount of data, then book a free, no obligation call here.