AfterBon
More information
AfterBon

Back to blog overview

GDPR at the Point of Sale: What Receipt Advertising May — and May Not — Do

Published on 26 June 2026

When “receipt advertising” comes up in marketing meetings, the GDPR question follows sooner or later. Rightly so: nobody wants a warning letter because an over-eager tracking layer landed on thermal paper. The industry also circulates half-truths — some call receipt ads a GDPR nightmare, others a loophole with no rules. Neither is true.

The GDPR idea, briefly and honestly

GDPR governs processing of personal data. Once data can be linked to an identifiable person, it applies. Purely anonymous or transaction-level data without personal reference falls outside scope.

Well-designed receipt advertising starts here: the QR code on the receipt is a transaction ID, not a person identifier. As long as no personal data is linked when printing or encoding, there is no GDPR-relevant processing at the POS.

What is allowed at the POS — and what is not

GDPR-compliant at the POS

  • Printing a QR code with an anonymous transaction ID
  • Linking that ID to product categories (e.g. “energy drink”) for contextual offers
  • Counting scans and redemptions in aggregate
  • Recording actions the user triggers on the landing page (under the advertiser’s responsibility)

When GDPR obligations kick in

  • When the customer enters data on the landing page (email, address), GDPR applies. The advertiser needs privacy notice and legal basis.
  • Cookies or fingerprinting on the landing page require TTDSG-compliant consent.
  • If brands later use collected addresses, full GDPR including data processing agreements applies.

Clearly not permitted

  • Using card or payment data to personalise ads
  • Sharing personal receipt data with brands without legal basis
  • Linking the QR code to profiles from other sources without consent

The retailer’s role

For petrol and kiosk operators this matters: if the solution generates the QR as an anonymous transaction ID, the retailer is not the data controller for downstream advertising. They print a receipt — full stop. What the customer voluntarily does afterwards sits outside the retailer’s processing.

That is a strong argument when pitching networks with central privacy policies.

The brand’s role

Advertisers have clear duties: once the customer enters personal data on the landing page — email for a coupon or a delivery address — standard GDPR mechanics apply: privacy notice, legal basis (often consent under Art. 6(1)(a) GDPR), access and erasure rights. Solid retail media platforms provide consent templates.

Practical recommendations

Three pragmatic steps for brands and retailers starting receipt advertising:

  1. Anonymous transaction ID, not personal data. Get written confirmation from your platform that no personal data is collected at the POS.
  2. Clear separation of roles. POS data responsibility = retailer. Landing page = advertiser. Document that line.
  3. Secure processing agreements. Once the platform processes data for brands, an Art. 28 GDPR DPA is standard — do not skip it.

Conclusion

Receipt advertising at the POS can be GDPR-compliant — when built cleanly and responsibilities are split. Partners who actively address privacy (not only in terms and conditions) deliver a high-conversion channel without legal guesswork.

→ Petrol station shop revenue 2026

→ App fatigue & browser loyalty

→ Request our privacy one-pager