Industry Guides

Data Protection for Retail Businesses

How Jamaican retailers and e-commerce stores should handle customer data, loyalty programmes, CCTV, and marketing under the DPA.

Intermediate 16 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • The customer data retailers typically hold
  • How loyalty programmes and marketing trigger obligations
  • Handling CCTV and payment data responsibly
  • Practical steps for physical and online stores

Overview

Retailers collect more customer data than ever, from loyalty sign-ups and email lists to e-commerce accounts and store CCTV. This guide explains, in plain language, how a Jamaican retailer can handle that data well under the Act.

Why this matters

Customers expect a shop to take their details seriously. Marketing missteps, an exposed customer database, or careless CCTV can all cause complaints and damage trust. Good practice here is also good for the brand.

The data you hold

  • Customers: names, phone numbers, emails, delivery addresses, purchase history.
  • Loyalty members: sign-up details and detailed buying patterns.
  • Online shoppers: accounts, order history, and website tracking data.
  • In-store: CCTV footage and, sometimes, payment information.

Marketing and loyalty programmes

Marketing by email, SMS, or WhatsApp generally requires clear consent, and every message must offer an easy way to opt out (see Do I Need Consent?). Loyalty programmes are fine, but use the data only for what members would expect, and be transparent about it.

Tip. Separate "I want to buy this" from "I want your marketing." Do not assume a purchase is permission to market. Ask clearly at sign-up.

CCTV

CCTV footage of identifiable people is personal data. If you use cameras:

  • put up clear signage so people know they are being recorded
  • keep footage only as long as you need it, then delete it
  • limit who can view it, and handle access requests for footage carefully

Payment data

Card details are highly sensitive. The safest approach is to handle as little of it as possible: use a reputable payment provider so card data flows through them, and never store full card numbers in your own systems.

Watch out. Storing customer card numbers in a spreadsheet or notebook is a serious risk. Let your payment provider hold that data under their security.

Common scenarios

  • Building an email list. Collect consent at sign-up and honour unsubscribes immediately.
  • Abandoned-cart emails. Treat these as marketing and rely on a proper basis.
  • A customer asks what data you hold. Treat it as an access request.

Common mistakes

  • Adding every customer to a marketing list without consent.
  • Running CCTV with no signage or retention limit.
  • Storing card details to "make checkout easier".

Best practices

  • Publish a clear privacy notice covering customers, loyalty, and CCTV.
  • Get marketing consent properly and make opting out effortless.
  • Use a trusted payment provider and strong account security.

Put this into practice

Create a clear privacy notice for your shop or online store in minutes.

Generate a privacy notice for your store

Frequently asked questions

Generally yes. Marketing usually needs clear consent, and every message must let people opt out easily.

Key takeaways

  • Retailers hold customer, loyalty, and increasingly online data that the Act covers.
  • Marketing and loyalty programmes usually need clear consent and an easy opt-out.
  • CCTV and payment data each need careful, specific handling.
  • A clear privacy notice and basic security cover most of your obligations.

Related

Ask the Privacy Assistant

Beta