I've been through this before. Online receipts identified with long, random URLs. Users posting them online with no regard for security. Requiring a login for purchase was deemed infeasible since it adds friction to the checkout process. The only thing keeping the online receipt from google was robots.txt.