The French Data Protection Authority, CNIL, issues guidance on credit card data in remote transactions:
-
Merchants who collect credit card detail to facilitate a transaction, need the consent of their customers to keep their bank details beyond such transaction, to facilitate their subsequent purchases.
-
This consent is not presumed and must take the form of an unambiguous act of will, for example by means of a checkbox (not pre-checked by default).
-
The acceptance of the general conditions of use or sale is not considered as a sufficient mechanism of the collection of the consent of the persons.
-
The e-merchant should integrate directly into the merchant site a simple way to withdraw, without charge, the consent given.
-
The credit card data can also be used in the fight against payment card fraud.
-
Merchants can rely on their legitimate interest to keep the credit card data of those of their customers who subscribe to a subscription in order to benefit, free or not, of additional services to facilitate their purchases.
-
When doing so merchants must (1) disclose retaining this data, (2) allow an opt out, (3) allow deletion and (4) implement appropriate security measures.
Details from CNIL.
[View source.]