The French Data Protection Authority, CNIL, issues guidance on credit card data in remote transactions:
- Merchants who collect credit card detail to facilitate a transaction, need the consent of their customers to keep their bank details beyond such transaction, to facilitate their subsequent purchases.
- This consent is not presumed and must take the form of an unambiguous act of will, for example by means of a checkbox (not pre-checked by default).
- The acceptance of the general conditions of use or sale is not considered as a sufficient mechanism of the collection of the consent of the persons.
- The e-merchant should integrate directly into the merchant site a simple way to withdraw, without charge, the consent given.
- The credit card data can also be used in the fight against payment card fraud.
- Merchants can rely on their legitimate interest to keep the credit card data of those of their customers who subscribe to a subscription in order to benefit, free or not, of additional services to facilitate their purchases.
- When doing so merchants must (1) disclose retaining this data, (2) allow an opt out, (3) allow deletion and (4) implement appropriate security measures.