Retailers' personalised shopping offerings should reflect a layered approach to data privacy compliance

Out-Law Analysis | 11 Aug 2015 | 10:42 am | 3 min. read

FOCUS: Retailers should adopt a layered approach to data privacy compliance as they embrace new technologies that personalise the shopping experience for consumers.

New 'beacon' technologies can help retailers connect with consumers via their mobile devices as they move around shopping centres and within individual stores. They allow retailers to prompt consumers with promotional offers for goods as they approach particular parts of a shop, and the ability to collect valuable personal data can help to identify future customer trends or improvements in store layouts.

Retailers now have the means to deliver a unified experience to customers that links their bricks and mortar locations to website, mobile apps, and social media activity, and there are already examples of this happening in the market. However, there are privacy issues that retailers must address when innovating in this way.

Transparency and consent

The collection and exploitation of personal data is regulated in the UK and across the EU by data protection legislation.

In the UK the Data Protection Act and Privacy and Electronic Communications Regulations (PECR) apply, with the latter containing specific rules relevant to direct digital marketing.

This legislation generally requires retailers to inform consumers of the type of personal data they will be collecting about them, the purposes for which that data will be used, whether it will be passed onto third parties and, if so, for what reasons.

Where a consumer's personal data is being collected and used for marketing purposes, their consent must be obtained in advance. The consent should be freely given, informed and specific. How valid consent is achieved is at the retailer's discretion.

Opt-in consent is the gold standard approach to data privacy, where consumers are invited to take a positive step to indicate their permission to the processing of their personal data. This might for example involve ticking a box online to approve processing activities that are described in text alongside it.

Opt-out consent acts on the presumption that consumers are happy for their data to be processed in the manner described unless they take action, such as ticking a box, to specify otherwise. This is seen as less transparent and care must be taken by retailers if they choose to rely on this method of consent collection.

A layered approach to data privacy compliance

Because retailers are finding new ways to use personal data and interact with consumers through a range of different mediums, ensuring valid consent to personal data processing is a challenge. Retailers cannot view compliance as just a one-step exercise that can be fulfilled the very first time a consumer engages with them.

At the stage where personal data is about to be collected, whether this is via websites, apps or other data collection methods, a short privacy notice should be prominently displayed setting out the key facts about the data collection and use. This privacy notice should link to a privacy policy setting out in detail the retailer’s proposed activities with the personal data and the rights of the consumer.

It can be difficult to deliver a privacy notice and collect consent when interacting with customers via apps and small screen mobile devices. Retailers should consider carefully when and how in the customer journey to deliver the privacy notice and collect consent to address these technological issues.

For example, if location-based marketing is being used via an app, the privacy notice and consent collection could be presented at the time the customer turns on their location services. Delivering the privacy notice at this point avoids the risk of a customer forgetting they had given consent previously and being annoyed by receiving what could be perceived as unrequested marketing messages at this later stage in their customer journey.

Breaking down the delivery of the information in such a way has the added benefit of enabling the use of multiple shorter notices rather than one longer notice, ensuring greater clarity and helping to enhance customer experience.

Adopting such an approach also has the benefit of helping to build consumer trust in a business environment in which large scale personal data collection and analysis is often viewed with suspicion.

Keeping on the right side of the regulator

In addressing these legal and reputational risks, retailers can also escape the increasing focus regulators, such as the UK's Information Commissioner's Office (ICO), are giving to data privacy compliance in the digital age. The ICO has powers to take action in respect of breaches of the Data Protection Act or PECR include issuing fines and/or 'naming and shaming' the perpetrators.

The sanctions for non-compliance are set to get stiffer under the reformed EU data protection framework currently being negotiated at EU level, with a new General Data Protection Regulation (GDPR) likely to be finalised by early 2016.

For retailers and other companies that operate on a cross-border basis, the GDPR promises to introduce certainty because of its direct pan-EU application. It is also likely to bring a stricter regime of compliance by enhancing the tools of the data protection authorities across the EU to address non-compliance, including an ability to serve significantly higher fines for breach.

Retailers that adopt the layered approach to data privacy compliance now can help to future-proof themselves against the demands likely to be placed on businesses under the new GDPR.

Samantha Livesey is an expert in retail data privacy at Pinsent Masons, the law firm behind Out-Law.com