John Lewis Mishandling Data? Can they demand to store my payment details without making a purchase?

DiscoveryJ

As mad as it sounds, the title of this post is absolutely true, and I wondered if anybody can give me some advice?

Basically, I purchased a nonstick frying pan from John Lewis a couple of years ago that came with a lifetime guarantee. The nonstick coating started to peel, and so under the terms of the guarantee I contacted them to see if I could get a replacement. 

It was very straightforward, and after confirming with a few pictures, they said they would arrange a replacement to be sent out.

HOWEVER, they said in order for them to do that, they needed to first “Capture” my banking card details “for future reference”. I didn’t understand. I wasn’t being asked to pay out any money, and indeed they said they wouldn’t charge me anything once they’d taken my card details. And also, they weren’t refunding me anything as they were simply sending out a replacement. So I asked why I needed to give over my card details. What was the purpose and what would they do with them? I was simply told that they have to capture my payment details so they can store it in their systems in case I want to buy anything in the future or get anything refund it in the future!!

It’s made no sense to me so I complained and said I didn’t want my personal card details being stored for no good reason other than on the off chance I purchase from them in the future. And if that happens, surely I can just give my card details then!

(For context, my card details were once stored by another company, that later had a data breach and my payment details were leaked. I’m therefore always careful to never ask online stores to save my payment details for future reference at checkout).

The rather unhelpful customer service agent then said “It’s your choice. You can choose to decline the warranty replacement or you can give us your card details but you can’t have both”. So basically, my legitimate warranty replacement was being held to ransom, until I was prepared to handover my personal banking details for them to store for the sheer fun of it. 

Having logged a complaint through the normal channels on the John Lewis website, I was contacted by one of their complaint handlers who I hoped could help resolve this and send me my replacement without having to needlessly supply my private data. Sadly, this wasn’t possible. She said the reason I was being asked to provide my card details for them to capture was because the card I originally paid with two years ago, had expired and they wanted to store my up to date card details in case I ever want to purchase from them or ever need a refund. The same old story. She accepted that my card details were irrelevant to my warranty claim, but once again confirmed if I didn’t hand them over, then I wouldn’t get my replacement frying pan.

I honestly don’t get it, and I feel really aggrieved that I don’t have the choice of whether my personal details are held by John Lewis or not. Her only suggestion was that I could give my payment details over to get my warranty replacement and then ask for my entire data file with them to be deleted. But surely that’s not the point. They shouldn’t be taking and storing payment details for no reason in the first place. Surely? Or am I wrong? Also, I don’t particularly want to delete my entire data file as it contains my order history with useful information in. I just don’t want my payment details stored.

From the resolution point of you, I had no choice and I’ve had to give them my personal details and just hope their systems are secure, and nobody ever hacks in. But I still strongly feel this isn’t right and they haven’t come back with anything from my complaint, other than to say capturing and storing customers payment details is standard procedure for them.

What can I do? This is surely a breach of data protection / handling laws? If they needed my payment details as some kind of security or verification, then I would understand. But, making me give them over for the sheer fun of it, just so they can store them, feels wrong to me.

My thoughts are to go to the ICO and complain to them. What are your thoughts? Do you think what John Lewis are doing is acceptable and complaining to the ICO will be a waste of my time? Or do you agree and think I should pursue it? Any advice, gratefully received.

DiscoveryJ

I purchased a nonstick frying pan from John Lewis a couple of years ago that came with a lifetime guarantee. The nonstick coating started to peel, and so under the terms of the guarantee I contacted them to see if I could get a replacement. 

It was very straightforward, and after confirming with a few pictures, they said they would arrange a replacement to be sent out.

HOWEVER, they said in order for them to do that, they needed to first “Capture” my banking card details “for future reference”. I didn’t understand. I wasn’t being asked to pay out any money, and indeed they said they wouldn’t charge me anything once they’d taken my card details. And also, they weren’t refunding me anything as they were simply sending out a replacement. So I asked why I needed to give over my card details. What was the purpose and what would they do with them? I was simply told that they have to capture my payment details so they can store it in their systems in case I want to buy anything in the future or get anything refund it in the future!!

It’s made no sense to me so I complained and said I didn’t want my personal card details being stored for no good reason other than on the off chance I purchase from them in the future. And if that happens, surely I can just give my card details then!

(For context, my card details were once stored by another company, that later had a data breach and my payment details were leaked. I’m therefore always careful to never ask online stores to save my payment details for future reference at checkout).

The rather unhelpful customer service agent then said “It’s your choice. You can choose to decline the warranty replacement or you can give us your card details but you can’t have both”. So basically, my legitimate warranty replacement was being held to ransom, until I was prepared to handover my personal banking details for them to store for the sheer fun of it. 

Having logged a complaint through the normal channels on the John Lewis website, I was contacted by one of their complaint handlers who I hoped could help resolve this and send me my replacement without having to needlessly supply my private data. Sadly, this wasn’t possible. She said the reason I was being asked to provide my card details for them to capture was because the card I originally paid with two years ago, had expired and they wanted to store my up to date card details in case I ever want to purchase from them or ever need a refund. The same old story. She accepted that my card details were irrelevant to my warranty claim, but once again confirmed if I didn’t hand them over, then I wouldn’t get my replacement frying pan.

I honestly don’t get it, and I feel really aggrieved that I don’t have the choice of whether my personal details are held by John Lewis or not. Her only suggestion was that I could give my payment details over to get my warranty replacement and then ask for my entire data file with them to be deleted. But surely that’s not the point. They shouldn’t be taking and storing payment details for no reason in the first place. Surely? Or am I wrong? Also, I don’t particularly want to delete my entire data file as it contains my order history with useful information in. I just don’t want my payment details stored.

From the resolution point of you, I had no choice and I’ve had to give them my personal details and just hope their systems are secure, and nobody ever hacks in. But I still strongly feel this isn’t right and they haven’t come back with anything from my complaint, other than to say capturing and storing customers payment details is standard procedure for them.

What can I do? This is surely a breach of data protection / handling laws? If they needed my payment details as some kind of security or verification, then I would understand. But, making me give them over for the sheer fun of it, just so they can store them, feels wrong to me.

My thoughts are to go to the ICO and complain to them. What are your thoughts? Do you think what John Lewis are doing is acceptable and complaining to the ICO will be a waste of my time? Or do you agree and think I should pursue it? Any advice, gratefully received.

tempus_fugit

I don't know the legalities of this but if it doesn't say in the warranty terms and conditions that you have to provide card details to avail yourself of the benefits of the warranty then I don't think they have a leg to stand on. Whether it's worth getting leagal about it though in view of their stubbornness I don't know.

Personally I would just give them the details (if there's a subsequent breach then it's their fault and they have to deal with it or the bank will) and then put them to the inconvenience of having to delete your details later, but it's up to you if you want to go down this route or not. 

This will be one of those cases where their "instructions" say they "have to" do this and they won't budge from it for anything.

Grey_Critic

I rather suspect that the reason is not ro harvest data but simply to update the record of your original purchase as they will see your card used to pay for the original has expired. They cannot refund you if it is no longer valid and in some cases they might have to refund rather than replace.

When investigating your claim they quite possibly noted that the expiry date on the card used for the original purchase expired - it would be legal for them to keep the original purchase information on file.

My name and address are on file with JL for purchses I have made but I have always been asked to provide my card details and never been asked if the card I am using is on file.

theonlywayisup

https://forums.moneysavingexpert.com/discussion/6434019/can-john-lewis-store-my-payment-card-details-even-though-i-m-not-making-a-purchase-or-refund#latest

theonlywayisup

https://forums.moneysavingexpert.com/discussion/6434017/john-lewis-mishandling-data-can-they-demand-to-store-my-payment-details-without-making-a-purchase#latest

Undervalued

Broadly, a warranty (which is over and above your statutory rights) can have pretty much whatever terms and conditions the provider chooses.

If you were making a claim under your statutory consumer rights then they could not insist on having your card details. Under the warranty, if you wish to claim, they almost certainly can.

Undervalued

Not sure why you have posted this lengthy question twice. Anyway, I have replied to your other thread. However, it won't be the answer you want to hear!

tacpot12

I would given them your card details and then call the card provider and tell them you have lost the card and need a replacement.

I would not bother complaining to the ICO. I don't think they will stop John Lewis doing this, even though it is highly suspect.

goater78

There isn’t really a great difference between using a card online and having an online retailer save your card details. In both scenarios your card is stored with a third party payment service provider. The only real difference is the convenience of being able to reuse your card if you’ve saved it. If the PSP did get hacked then either way you’re compromised. 

flaneurs_lobster

Not that you want to give JL any details at all but a Revolut one-time only virtual card would be appropriate.