Data protection during Christmastime blog – what you need to know

24th November 2023

As we approach Christmastime and the busy shopping season, we thought it might be helpful to provide an overview of some of the DPC’s guidance around the issues that crop up the most at this time of year.

In this blog post, we will take a look at connected toys and devices which you may gift or receive during the festive period, as well as the rules around e-receipts and direct marketing for retailers.

If there’s a particular topic that you’re interested in learning more about, you can find the links to all of the relevant pieces of guidance discussed today in the further information section below.

The DPC has produced a podcast in conjunction with this blog, which is available at Data protection during Christmastime podcast – what you need to know

Connected toys and devices

Connected toys have the ability to interact with children, either directly or through an accompanying app.

In some instances, the toys can recognise words and react in certain ways to suggest an emotional response to what the child says or does — for example, a doll that closes its eyes when asked to go asleep by the child. In cases where these toys connect to an app, this might allow for the collection and recording of ‘conversations’ between the doll and the child, or even act as a walkie-talkie.

It’s important to know that for some of these products the voice recordings are shared with other companies, and the toys’ terms and conditions may allow for the child’s conversations to be used as the basis for targeted advertising.

Certain toys may also be advertised as using AI to appeal to some children. Generally speaking, this could mean that more data will be collected and that it will be subject to complex processing which may result in a profile being created about your child.

Smart watches are another common gift for both adults and children. Similarly, these can allow parents or guardians to communicate with their child through a mobile phone function, and report the location of the child. Some watches feature an ‘SOS’ button to allow a quick dial capability if there is an emergency.

While these features can be very useful, it is important to note that it has been found that in some cases these communications functions are not secure and can be hacked, which would allow eavesdropping on conversations, or even direct communication with the child. The location function on these watches can also be manipulated by hackers to make the child appear somewhere else, and the ‘SOS’ function can even be tricked to use a non-trusted phone number.

So there can be certain risks associated with these toys and devices and that is why it’s essential that you’re aware of the data protection legislation that guards against these.

In our guidance note, we have a full list on things to look out for in this area. We encourage parents and guardians, or anyone who wishes to gift a child with a similar device, to give careful consideration when selecting one that has a:

  • Camera or voice-recording ability,

  • Connects to the internet,

  • Allows remote connection using a smartphone or tablet app, or

  • Has a location tracking facility.

If you are happy to buy the toy or device for a child, then take care to ensure that it is working in the way described, and that you are happy with what it is doing, especially when it shares information with an app or with companies or websites that it might connect to.


Another topic which is particularly relevant at this time of year is the increasing number of retailers, at the point of purchase, offering customers the option of receiving an electronic receipt, or an ‘e-receipt’.

The DPC previously carried out a series of audits in order to assess how organisations process personal data in the course of providing e-receipts to customers. In a number of cases, email addresses gathered for the purpose of issuing e-receipts were subsequently used by retailers in order to issue marketing materials. Following on from these audits, the DPC produced guidance around the use of e-receipts to assist retailers in adhering to best practice and it’s important that customers know their rights in this regard.

At the point of purchase, if a customer is asked to provide an email address:

  • They should be advised if the reason is to provide them with an e-receipt; and

  • It should be made clear that they are under no obligation to provide their email address so that they can be sent an e-receipt, rather than being handed a hard copy receipt from the till.

If an email address has been collected for the purpose of sending an e-receipt, and the retailer then wants to use that address for sending marketing emails, we always advise that the retailer must inform the customer about this and give them the opportunity to opt-out of receiving marketing emails at the point of collection of their contact details. If they fail to do this, then it is unlawful for the retailer to use the customer’s email for this purpose. The customer should also be given an easy opportunity to opt-out of further marketing communications each time they are later contacted for marketing purposes.

Data protection law requires retailers to process data transparently and to be accountable to both the customer, whose data they process, and to the DPC. Retailers who want to send marketing emails in this way must comply with the rules as set out in both the General Data Protection Regulation (GDPR) and the ePrivacy Regulations, both of which also govern our next topic of discussion, direct marketing, of which there can be a notable increase in as we approach the Christmas shopping period.

Direct marketing

Direct marketing usually involves an organisation or marketer attempting to promote a product or service, or attempting to get you to request additional information about a product or service, by targeting you as an individual.

The DPC tends to receive a lot of queries on these types of communications and how to opt-out of them. Typically such marketing communications are sent by email, text message or by way of telephone calls (known as cold calling). The communications often contain special offers or promotions. But direct marketing can be broader than sales pitches as it also includes canvassing for votes in an election or the promotion of the ethos of an organisation.

If you receive direct marketing when you have not provided your information to an organisation, or did not provide it for the purpose of marketing, this is known as unsolicited direct marketing. You may or may not have directly provided your contact information to an organisation but nevertheless, this does not always mean you provided your contact details in order for the organisation to market their products or services to you.

You can stop an organisation sending further unsolicited direct marketing to you by sending an ‘unsubscribe’ or opt-out request to the organisation that sent you the marketing material. The marketing material you receive should always include a valid address to which you may send such a request and your unsubscribe request must be actioned.

However, it’s important to note that not all marketing communications sent by an organisation involves the processing of personal data, and therefore, data protection regulations do not apply in those situations. For example, direct marketing does not include market surveys seeking your views on issues such as political matters or radio listenership preferences.

Apart from these scenarios, though, if you receive direct marketing from an organisation you never dealt with before and if you have concerns as to where your information was sourced, you can seek an explanation from the organisation concerned.

Where you’re unhappy with the outcome of this, you can of course contact the DPC for further advice. Infringements of the rules governing unsolicited direct marketing is a serious matter and such infringements are treated as criminal offences which may be prosecuted by the DPC in the District Court. Penalties of up to €5,000 may be imposed for each offence.

If you receive direct marketing communications that breaks the rules discussed above, you may submit your concern to the DPC outlining the details through our online form available on our website.

Further information:

Connected toys and devices: 


Direct Marketing: