Gender of customers isn’t a necessary requirement for online ticket purchases

The European Court of Justice (ECJ) has ruled in case C-394/23 (Mousse) that requesting a customer’s gender when purchasing a train ticket online is not a necessary requirement for a railway company. This request violates the principle of data minimization under the General Data Protection Regulation (GDPR) in this case, highlighting that companies must limit the collection of personal data to what is strictly necessary.

What Was the Case About?

The association Mousse filed a complaint with the French data protection authority (CNIL) regarding the French railway company SNCF Connect, which systematically required customers to specify their salutation (“Mr.” or “Ms.”) when purchasing tickets online. Mousse argued that this requirement violated the GDPR’s data minimization principle, as gender information is not necessary for ticket purchases. However, CNIL dismissed the complaint in 2021. Mousse then appealed to the French Council of State, which referred the case to the ECJ.

What Did the Court Decide?

The ECJ ruled that requesting a salutation or gender when purchasing tickets online is not objectively essential, even if the purpose is to personalize customer communication. The court provided the following reasoning:

• Data Minimization Principle: Collected data must be appropriate, relevant, and limited to what is necessary for processing purposes.
• Legal Basis: The use of gender data must have a legal basis, which could be:
  1. Necessary for fulfilling a contract with the individual.
  2. Justified by the legitimate interests of the company or a third party.
• Contract Fulfillment: Personalizing business communication based on a customer’s gender identity is not objectively necessary for fulfilling a railway transport contract. Instead, the company could use general and inclusive forms of address that do not reference a customer’s assumed gender identity.
• Legitimate Interests: If a company relies on legitimate interest, it must ensure that:
  1. Customers are informed about this interest when data is collected.
  2. Processing is strictly limited to what is necessary.
  3. Fundamental rights and freedoms of customers are not overridden, particularly if there is a risk of discrimination based on gender identity.

Practical Implications

The ruling has the following consequences:

• Limiting Data Collection: Companies must restrict the collection of personal data to what is absolutely necessary.
• No Personalization at the Expense of Data Protection: Personalization of communication must not compromise data protection and must always have a legal basis.
• Use of General Forms of Address: Companies should adopt inclusive and neutral communication forms that do not reference gender identity.
• Review of Data Collection Processes: Businesses should audit their data collection practices to ensure compliance with GDPR principles.

Summary

The ECJ ruled that asking for gender when purchasing train tickets online is unnecessary and violates the GDPR’s data minimization principle. This decision reinforces the need for companies to limit data collection to essential information and to review and adapt their data protection practices. Businesses should avoid collecting unnecessary customer data and ensure that their communication strategies are both inclusive and privacy-friendly.