[for the avoidance of doubt, what follows is THEORETICAL - no allegations are being made about any person or organisation]
On the original thing, the stakes are about to be upped in the game, substantially, in favour of the consumer.
Obviously, Curry's/PCworld have absolutely no right to demand an email address (though it is reasonable to ask for it, I suppose). If they do gain your email address, "in order to send you an electronic receipt" it is presently illegal for them to use that information for any other purpose at all (Data Protection Act).
If they attempt to be deceptive about this, for example telling the consumer one thing (about wider use) whilst they answer differently to opt-in/out questions the till prompts them, and don't show those to the consumer, then they are way over the line into illegal territory.
Proof of this supplied to the Data Protection Registrar would probably result in a healthily-large fine. Given that company's presence on the high street and the business they are in (including giving out computer security advice, ironically), I'd expect the DPR to take a keen interest pretty quickly.
On May 25th 2018, the General Data Protection Regulation comes into force in English law (and, I assume, the rest of the UK, too). At that point all sorts of stringencies about reasons for keeping and methods of securing and protecting personal data apply.
For example, presently you can email people for any reason, if you have obtained their email address legally and you give them an option in every message to be removed from the list ("unsubscribe"). Under the GDPR, you need explicit permission to email people for any specific purpose - a general permission may not be valid. This should put an end to traded lists of email addresses (don't bank on it though!).
GDPR applies to all forms of stored data, including paper (or even carved stone tablets!), and has extra stringencies on the basis that only authorized people within an organisation, who legitimately need access to specific data may have that. As I understand it, it won't be legal, say, for even the MD to have access to the detail of a mailing list, because despite their seniority, that isn't part of their job function.
Smart organisations are doing several things right now (in a bit of a panic, it would seem, given some of the ones we interact with at work):
1. Sorting out their internal processes and data security systems so as to be fully compliant, including categorizing information carefully and destroying stuff they don't have permission to hold.
2. Requesting permission to continue sending from all names on their mailing lists (printed literature and email - the GDPR doesn't differentiate).
3. Asking any contractors they use to do the same, and (the more sensible ones are) dropping contracts with those who don't. From a company perspective, if a contractor breaks the GDPR using your data, you are responsible, as it is your obligation to safeguard said data and not let it be misused.
The GDPR will be a game-changer with regard to junk mail, email and phone calls, or at least it ought to be. Regulatory bodies such as the DP Registrar's office are historically ridiculously underfunded though. Time will tell if the new regulation is well-enforced or not.
So, if you want to frighten middle managers in retail under such circumstances, you might mention that they will not have permission to continue using any information you give out now after May 25th when GDPR kicks in. They will have to obtain your explicit consent to use any of your data, all over again. Better still, get them to sign a piece of paper confirming the conversation has happened!
Every employee who handles personal data, including staff who put data in at tills, should be trained on the implications of GDPR, as it directly affects their jobs and responsibilities. Drawing attention to this might help concentrate corporate minds a bit, because there are more than a few organisations in complete "denial" over GDPR right now.