Requesting you to prove your identity to validate a purchase: is it legal?

Your Italian online seller asks you for a copy of your ID card to validate your order? This is often part of the KYC (for "Know Your Customer") procedures put in place by some traders. Some sellers are just trying to avoid identity theft or payment fraud. Others, however, use your information to assess your creditworthiness, better target you with their marketing or learn more about your buying behaviour. How to deal with these requests? How are they regulated in Europe? Explanations and advice in this article.

Why am I asked to prove my identity before validating an order?

It is not uncommon for an e-tailer to ask you for certain information at the beginning of the order process or before confirming your subscription to a service.

This is usually standard data such as your name, postal address, email address or telephone number. The online seller may also check your IP address or even analyse the type of hardware you are using (PC, smartphone, which operating system etc.) via software.

Some sellers also ask for a copy of your identity card or passport, or any other document proving your identity.

The purpose of these checks is to minimise the risk of payment fraud or identity theft.

Example: You have regularly purchased from a Danish website for small amounts. If you decide to order for a larger amount, the Danish site may ask you for proof of identity or even proof of address or other evidence to ensure that you are the same customer as for other orders.

Social networks, some banks... may also ask you to take a selfie or participate in a video chat, to make sure that your account is not a fake or a robot account.

In the financial, banking and insurance sectors, verification of the customer's identity is common and helps to combat money laundering and terrorist financing. But in this sector, KYC practices ("Know your customer") are very much regulated in Europe. More information in our article on blocked bank accounts.

Your IP address is also an interesting piece of data for the merchant because it allows him to know in which country you are and thus better set the language of the merchant site, the means of payment and possibly block the order.

Example: the IP address indicates a country to which the seller does not deliver but the customer chooses another country for delivery.

More information in our article on the End of geoblocking.

Is asking for proof of identity to validate a purchase legal?

When paying by card, online merchants targeting the French market may ask for (not require) proof of identity. But the customer has the right to refuse to provide it. The Commission Nationale Informatique et Libertés has made it clear that if the collection of the cardholder's identity is not necessary for the transaction, it should not be requested.  

Good to know: in France, refusal to sell is prohibited unless the consumer's behaviour is inappropriate or in bad faith. If you feel you have been discriminated against in this way, report it to www.signal.conso.gouv.fr

Online traders often ask for personal information from buyers to prevent fraud. However, they must respect the data protection principles of the European Data Protection Regulation (EDPR).

For example, the information collected can only be used for a legitimate and legal purpose. Online retailers and social networks may not use your data for any other purpose. Nor may they keep it for longer than a justified and proportionate period. Your data must be updated and corrected, and deleted after a certain time. And only authorised persons should have access to the information requested in the context of "Know your customer" procedures.

You must of course be informed if your data is included in customer lists, you must consent to this and be able to object to it, access it and rectify it.

More information on the Protection of your personal data

Tips if you decide to send proof of your identity

  • Cross out the photocopy of your identity document and indicate the reason for sending it.

Example: "This photocopy can only be used to validate my order/registration no. XXX by the seller XXX".

  • Date the copy.
  • Hide information from your ID card or passport, such as the title number, especially if you are sending a photo with this document.

What if I am asked to send a copy of my credit card

Never send a picture of your bank card!

When an online seller asks you for information to prove that you are the owner of the payment card or bank account, they want to make sure that it is not :

  • a fake bank card,
  • a stolen bank card,
  • stolen bank account details.

Warning: an online seller who targets French customers cannot ask you for a copy of your bank card, even if the visual cryptogram and part of the numbers are hidden. Never send a copy of both sides of your bank card showing the visual cryptogram. Choose sites with strong customer authentication.

Good to know: you must always give your consent if the merchant site offers to store your credit card details for future purchases. No site can force you to register your card, nor can they use pre-ticked boxes.

Information that is also used to assess your creditworthiness

The information you give the seller can also be used to query a scoring service in real time.  Scoring is a marketing technique that consists of analysing your data and assigning you a score that ranks you according to your probability of purchase, your creditworthiness, and the gain or risk you can generate.

For example, if you have lived in Germany, the online seller can use your name to ask the "Schufa" (credit rating agency) about your level of indebtedness.

If your scoring is good, i.e. if the prognosis on your payment behaviour is good, the online seller could offer you more payment methods, for example. And if you become a regular customer, they might even offer you more "risky" payment methods (credit cards, payment on account, SEPA direct debits, etc.).

On the other hand, if your score is poor, you will have no choice but to pay your order in advance.

Information that is also used to better target you

KYC ("know your customer") techniques also allow merchants to adapt their sales techniques and marketing means to the customer.

If you regularly take part in post-purchase surveys or polls, you should know that online retailers can use your socio-demographic data (age, gender, family situation, profession), your psychological data (interests, opinions, etc.), or your behavioural data (purchase history, frequency of purchases, response rate to emailings, etc.) to assign you a score and classify you as an occasional customer, a regular buyer or a VIP customer, for example.

In this way, merchants can adapt their marketing offer to your profile and your score: targeted promotional offers, products offered as a preview, discounts, etc.

Be careful not to be tempted by offers you don't really need. Ask yourself the right questions before you buy! Think before you click !

Information that is used to better understand your purchase behaviour

Requests for information under the "Know your customer" procedures also enable retailers to find out about your purchasing behaviour.

Examples :

  • The number of orders returned within the withdrawal period.

  • The number of payment disputes via chargeback that you have invoked.

  • The number of complaints you have sent to customer service.

Can I be asked for my identity card when booking accommodation in Europe?

When booking accommodation in the EU, some hoteliers or accommodation owners ask you to send them a copy of an identity document. But, in principle, you only have to produce it on arrival.

In France, as in Bulgaria, the hotelier is in principle not allowed to copy your identity card or passport, or any other proof of identity. If you are a foreigner (European or not), you will have to present an identity document and fill in an "individual police form". This is for the purposes of preventing public disorder, judicial investigations and searches in the interest of the individual. This form must remain at the disposal of the police/gendarmerie for six months. After this period, the card must be permanently and securely destroyed.

In Germany, the identity card cannot be copied or registered, unlike in Hungary for example.

Social scoring is being debated in Europe

After a purchase, a trip, a stay, an online service, you have certainly received an invitation to "share your experience", to rate the product, the restaurant, the hotel, the deliveryman, the taxi... And of course, your comments on social networks, your online opinions, will be shared, "liked" etc.

This system of permanent rating required of a consumer in all his or her behaviour in the public space or online is called "social scoring". It is the subject of debate at European level.

On 6 October 2021, the European Parliament adopted a non-binding resolution calling, among other things, for a ban on social rating systems.

In its draft opinion on the proposed EU regulation on artificial intelligence, the European Parliament's Committee on Culture and Education proposes to “ban on deployment of social scoring systems to usage by public and private entities given the inherent threat of discrimination and exclusion of certain groups or individuals.”

Towards a European digital identity?

In the EUe, a proposal for a European digital identity accessible in all EU countries is underway. In concrete terms, this will be an application that can be used in any EU country, allowing Europeans to register various personal data and documents. It will allow them to identify and authenticate themselves electronically and to create and use electronic signatures and stamps accepted throughout the EU. More information on the European Commission's website.