Online Privacy Policy

WHSmith Privacy Policy wants you to be able to shop with confidence on our site, which is why we take the privacy of your personal information very seriously. We respect your privacy and are committed to protecting your personal data.

This privacy notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. By using our website or any of our services, or providing us with any personal data, you agree to your personal data being used and disclosed in the manner set out in this policy.

Back to top

Purpose of this Privacy Notice

This privacy notice aims to give you information on how WHSmith collects and processes your personal data through your use of this website, including any data you may provide through this website when you shop with us. WH Smith High Street Limited is the data controller and is responsible for your personal data (collectively referred to as "WHSmith", "we", "us" or "our" in this privacy notice).

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Back to top

How We Use Your Personal Data

We will only use your personal data (name, address, email address, date of birth) when the law allows us to, and only for the purposes agreed to when you provided it. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you, i.e. fulfilling an order.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

Generally we do not rely on consent as a legal basis for processing your personal data, other than for our own marketing in some situations, and always for third party marketing. In relation to direct marketing communications via email or text message where we collect your consent, you will always be asked to decide how you wish to be contacted. You have the right to withdraw consent to marketing (or to object to receiving marketing where we do not rely on consent to send it) at any time by contacting our Customer Services team or by unsubscribing from marketing communications in any e-mail sent to you.

Back to top

Purposes For Which We Will Use Your Personal Data

We will use your personal data:

  • To register you as a new customer
  • Process and deliver your order(s) including:
    -Managing payments, fees and charges
    - Collecting and recovering money owed to us
    - Verifying your age with credit agency TransUnion when purchasing age sensitive products. Full TransUnion privacy policy available here:
  • To manage our relationship with you which will include:
    - Notifying you about changes to our terms or privacy policy
    - Asking you to leave a product or service review or take a survey
    - Sending you reminders if you abandon (exit the site) after a search, product view, basket or do not complete your order
  • To enable you to partake in a prize draw or competition**
  • To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, development, support, reporting and hosting of data)
  • To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you**
  • To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
  • To make suggestions and recommendations to you about goods or services that may be of interest to you

** These activities require your explicit consent

Back to top

How is Your Personal Data Collected?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your personal information by filling in forms or by corresponding with us by post, phone, e-mail or otherwise. This includes information you provide when you:
    - purchase any of our products or services;
    - create an account on our website;
    - create an account in the WHSmith Scan & Go application on Google Play or iStore
    - join our newsletters programmes or other publications;
    - enter a competition, promotion or survey;
    - give us some feedback
    - interact with our social media channels; or
    - engage with our external advertising on third party sites.
  • Automated technologies or interactions. As you interact with our website, newsletters, or emails we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
  • Third parties or publicly available sources. We may collect technical information about your journey through our site with Google Analytics. We and our authorised partners use this data to improve your site experience.

Back to top

Your Legal Rights

You have the right to:

  • Request to access and receive a copy of the personal data we hold about you;
  • Request any corrections to the personal data that we hold about you;
  • Request erasure of your personal data;
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
  • Request restriction of processing of your personal data;
  • Request the transfer of your personal data to you or to a third party; or
  • Withdraw consent at any time where we are relying on consent to process your personal data.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your access request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request where it is manifestly unfounded, repetitive or excessive.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Back to top

The Data We Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

When you complete an online form, register or shop with us online, register or shop using the Scan & Go application, or engage with us in the ways identified in the ‘How is Your Personal Data Collected?’ section we may collect, use and store different kinds of personal data about you such as your name, gender, date of birth, billing/delivery address, e-mail address and telephone number. We may also collect and retain information about your interactions with us either in store, online, social media, or through our contact centres so that we can process your transactions and deal with any future queries.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

Back to top


In certain situations, we can collect and process your data with your consent.

In limited situations, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

When collecting your personal data, we'll always make clear to you which data is necessary in connection with a particular contractual or legal requirement.

We may process your personal data without your knowledge or consent (for example, in relation to fraud management or to assist with investigations by the police or other regulatory bodies) in compliance with the above rules, where this is required or permitted by law.

Back to top

Opting Out

You can ask us or third parties to stop sending you marketing messages at any time by contacting us or by unsubscribing from marketing communications in any e-mail sent to you.

In some circumstances you can ask us to delete your data by making a 'Request for Erasure'. In order to make such a request, please write to us at Following your request, your personal data shall be removed from our database without undue delay in accordance with statutory requirements. Our DPO shall thereafter take reasonable steps to inform any third parties who may be processing any personal data they hold about you that you have requested the erasure of any links to, or copy or replication of, your personal data.

Back to top

Promotional Offers from Us While You Are On The Website

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you and display them to you on the website.**

** These activities require your explicit consent.

Back to top


We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may send you marketing about our own goods and services if either you have opted in to receive our marketing messages, or you have previously bought or enquired about similar goods or services from us (including by placing items in your basket but not completing an order) and you have not opted out from receiving our marketing messages. You can, should you wish, unsubscribe to any or all of our marketing material at any time. By clicking the ‘unsubscribe’ link in any email we send, you will be unsubscribed from that programme. You can also contact us at any point to opt out of any or all marketing communications, or do that by visiting the ‘preference centre’ on our site (available from February 2021).

Back to top

Off-Site Marketing

Whilst browsing other websites you may see WHSmith promotional messages, these will be displayed based on cookies placed during your recent visit to our website. Personal information is not used in the delivery of these promotional messages. Please see our Cookie policy for more detail.

Back to top

Third-Party Marketing

You are in control of any information we share with Third Parties for marketing purposes. As you go through our checkout or account creation processes you will be asked to advise us which contacts you wish to receive. If you have opted in to receive marketing from third parties you can opt out of these marketing messages at any time by contacting us or by unsubscribing from marketing communications in any e-mail sent to you.

Back to top

Third-Party Links

Clicking on links to third-party websites, plug-ins and applications contained within this website, or enabling those connections, may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Back to top

Disclosures of Your Personal Data

We may have to share your personal data with the parties set out below for the purposes set out above (in Purposes for which we will use your Personal Data'):

  • Other WHSmith group entities, details of which can be found in our Annual Reports;
  • Third party suppliers in order to fulfil orders placed by you
  • Trusted technical partners for the purposes of site development and improvements
  • We may, from time to time, expand, reduce or sell WHSmith and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Back to top

International Transfers

Some of our third party processors may transfer your data outside of the EEA. Locations outside of the EEA where your data may be transferred is/are: the United States of America. We will update this Privacy Notice if the named locations change. When we or our third party processors transfer your data outside of the EEA we ensure that it remains subject to appropriate data security arrangements at all times and implement the right safeguards with these processors.

Back to top

Data Security

We have appropriate security measures in place to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, technical partners, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Back to top

How Long Will You Use my Personal Data For?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Back to top

If You Fail to Provide Your Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

Back to top

Data Protection Officer

We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact Data Protection Officer, WHSmith, Greenbridge Road, Swindon SN3 3LD or e-mail

Back to top

Contacting the Regulator

If you feel that your data has not been handled correctly, or you wish to make a complaint, you have the right to contact the Information Commissioner's Office ("ICO"), the UK supervisory authority for data protection issues, at any time. You can contact them by telephone (0303 123 1113) or via their website ( We would, however, be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Back to top


It is likely that we will need to update this Privacy Policy from time to time. We will notify you of any significant changes via our newsletters.

Back to top

Cookie Policy

Cookies are small text files. Many websites place cookies on your computer when you visit. Cookies are used to make websites work, or to make them work more efficiently, and to provide useful information to website operators.

Many web browsers allow users to control most cookies through their browser settings. However doing so will prevent the checkout from working and you will not be able to place orders.

Back to top

Your Cookie Preferences

We use different types of cookies to optimise your experience on our website. Read more about the different types of cookies below to learn more about their purpose. You can change your cookie permissions at any time. Remember that disabling cookies may affect your experience on the website.

Essential Cookies

These cookies are strictly necessary to provide you with the services available through our websites and to use some of its features, such as access to secure areas.

An example of an essential cookie: __cfduid

Performance Cookies

These cookies are used to enhance the performance and functionality of our websites but are non-essential to their use. However, without these cookies, certain functionality (like videos) may become unavailable.

An example of a performance cookie: _gat_UA-533522-1

Marketing Cookies

These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

An example of a marketing cookie: uuid

Unclassified Cookies

These are cookies that have not yet been categorised. We are in the process of classifying these cookies with the help of their providers.

Back to top

Managing Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. Find out more about how to manage your cookies by browser below.

Manage In Chrome

Manage In Internet Explorer

Manage In Safari

Manage In Firefox

Back to top

The Cookies We Use and What They Do

The table here explains what cookies we use and why. More information about cookies, including details on viewing what cookies have been set and how to delete them is available at

Name Type Description And Domain Retention Period
uuid Advertisement To optimize ad relevance by collecting visitor data from multiple websites such as what pages have been loaded. Domain: 1 year 1 month
MUID Advertisement Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking. Domain: 1 year 24 days
IDE Advertisement Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile. Domain: 1 year 24 days
_fbp Advertisement This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website. Domain: 3 months
test_cookie Advertisement This cookie is set by The purpose of the cookie is to determine if the user's browser supports cookies. Domain: 15 minutes
dw_dnt Analytics The cookie is used to control client side JavaScript for Commerce Cloud tracking features(Analytics, Einstein and Active Data). Domain: session
__cq_uuid Analytics This cookie contains a randomly generated unique user ID. This cookie is used for collecting information on the visitor activities on the website. This information is used for analytical purpose and for the personalization of the website. Domain: 1 year 1 month
_gcl_au Analytics This cookie is used by Google Analytics to understand user interaction with the website. Domain: 3 months
_uetsid Analytics This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site. Domain: 1 day
_ga Analytics This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. Domain: 2 years
_gid Analytics This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form. Domain: 1 day
_cs_id Analytics This cookie is used to store the ContentSquare's user identifier ID. This is a persistent cookie and expires after 13 months. Domain: 1 year 1 month
_cs_s Analytics This cookie is used to store the number of page's viewed by a visitor within the session for ContentSquare's solution. Domain: 30 minutes
_hjTLDTest Analytics This cookie is set by Hotjar. Domain: session
_hjid Analytics This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. Domain: 1 year
_hjFirstSeen Analytics This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions. Domain: 30 minutes
_hjIncludedInSessionSample Analytics This cookie is set by Hotjar. Domain: 2 minutes
_hjAbsoluteSessionInProgress Analytics This cookie is set by Hotjar. To set the current session in progress. Domain: 30 minutes
_cs_c Functional The cookie is used by Content Square to save the user consent to be tracked. Domain: 1 year 1 month
dw_cookies_accepted Necessary This cookie is set by the provider SalesForce Commerce Cloud. This cookie is used for determining if the visitor has accepted the cookie consent box. Domain: session
dwac_* Analytics Session ID, report suite name, shopper’s customer ID, source code group ID (encoded), currency mnemonic, and time zone. The * in the cookie name is a value unique to the site. Domain: session
cquid Analytics First party cookie; contains a hashed ID for a known, logged-in user. Domain: session
dwanonymous_* Analytics Random ID used to identify an unregistered shopper or a shopper who has not yet logged in independent of the session. For example, this is used to track basket and order activity and for analytics. It is not used for any activity that occurs after the shopper registers an account. The * in the cookie name is a value unique to the site. Domain: 5 months 27 days
__cq_dnt Functional The cookie indicates that the browser has opted out of CC Einstein tracking for this site. Commerce Cloud sets it with each page response based on the value of the corresponding session attribute tracking allowed. Domain: session
dwsid Analytics This cookie is used by Commerce cloud digital to operate a storefront. This cookie identifies the current browsing session. Domain: session
dw Analytics This cookie is used by Commerce cloud digital to store a session ID. Domain: session
_uetvid Functional Used by Bing Ads to store and track visits across websites. Domain: 1 year 24 days
mp_whsmith_mixpanel Analytics Stores an anonymous identifier for each user to establish an identity between sessions. Domain: 1 year
Name Type Description Retention Period
_cs_mk Analytics A ContentSquare cookie used to collect information about how visitors use our site. Domain: 30 minutes
bc_invalidateUrlCache_targeting Analytics This is essential to cross-check the state of the Blurcore campaigns. In case there is any change in the campaign configurations, both for targeting and creatives, this cookie is invalidated and a fresh campaign configuration is loaded on the website. Domain: 10 minutes
_dc_gtm_UA-533522-1 Necessary Used by Google Analytics to store a number of service requests. Domain: 1 minute
bluecoreNV Analytics For tracking user state (new/returning). Helps Bluecore to judge if the user is new to the website or a return visitor. Helps in establishing campaign targeting. Domain: 1 year
cqcid Performance This cookie is set by the provider Demandware. This cookie is used for tracking and analyzing the visitors who are visiting the website page anonymously. The cookie is also used for improving the performance of the website and support personalization of the website content. Domain: session
sid Performance This cookie is very common and is used for session state management. Domain: session
_gat_UA-533522-6 Performance This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites. Domain: 1 minute
bluecore_uniteSubmit Functional This for handling the submit of Bluecore forms. Domain: 1 minute
v1v4 Functional This is the main Sub2 cookie that allows all Sub2 services to operate. It allows the Sub2 applications to function for the client site you are interacting with and registers the URL's of the client website that you are visiting. Domain: 2 years
s2sv4 Advertisement This is a session cookie that stores information such as the presence of an email address against this cookie, the number of pages into this session and a customer or non customer flag. Domain: Session

Back to top