Retailers beware – privacy issues with in-store technology engagement

touch screen till Print publication


The number of retailers using advanced technology to enhance their marketing approach is growing, and so is awareness (and nervousness) from shoppers of big brother-type methods. Shoppers are increasingly asking themselves “how do they know that I bought dishwasher tablets last week”, “how did they get my email address” or “how do they know how often I visit the store”.

On top of this, as the recent Talk Talk security breach has shown, the costs of failing to have adequate data security systems in place can be disastrous with the reputational damage that may follow a high-profile security breach considerably outweighing any regulatory fine. A company that is hacked may also face the possibility of a damages claim from aggrieved consumers who, following a Court of Appeal ruling earlier this year, do not need to prove financial loss to bring a claim following a data protection breach.

What are the advanced technology marketing methods shoppers may be concerned about?

  • Mobile phone tracking involves shops installing tracking devices which pick up MAC addresses from customers’ mobiles. Information can be gathered on how often customers visit a store, how much they spend and other footfall patterns. It can also be used to track the number of shoppers who walk past a shop but don’t go in.
  • Retailers are also using small devices around stores to send location-specific messages with targeted deals or vouchers via text or apps to shoppers’ smart phones.
  • Free in-store wifi is being used by retailers to obtain customers’ information when they sign up. Combining this with location tracking data, it can provide organisations with insightful information.
  • In-store movement can be monitored and analysed through use of the more conventional CCTV. This includes looking at how busy a store is, how long customers stay in certain areas of the store and trends in product choices – what shoppers are both picking up and putting down.
  • Facial scanning video screen advertisements determine the gender and age of the viewer, and this information is used in conjunction with particular times and locations to assist retailers in tailoring adverts.

How does the Data Protection Act 1998 (the Act) and other privacy legislation apply?

“Personal data” is defined in the Act as data that relates to an identifiable living individual. “Identifiable” means that the individual can be identified from that data, either alone or in combination with other information.

The Act sets out specific obligations on organisations in terms of how they use personal data.

Clearly not all marketing methods using advanced technology will be capable of being classified as involving “personal data” in isolation. However, it is important to remember that if any data, in combination with other information, can lead to an individual being identified, this would make the information “personal data”.

Direct marketing is governed by specific rules in the Privacy and Electronic (EC Directive) Regulations 2003 and, as with the Act, the Information Commissioner (ICO) has provided detailed guidance on the interpretation of this legislation in addition to numerous best practice requirements that should be considered.

Mobile phone tracking and location specific messages

Retailers often use location information in conjunction with their own customer data, such as loyalty schemes, to tailor the products offered in messages to customers.

Guidance from the ICO has clarified that, individually, mobile phone location data and store loyalty cards are examples of big data analytics which involve the processing of personal data.

Free wifi

Signing up for in-store wifi involves a customer providing their name, email address and, sometimes, phone number. The internet service provider will have access to this information, and may share it with third parties.

Retailers using customer data through wifi sign-up need to be aware of their obligations under the Act.

In-store CCTV monitoring

Whether or not a person is identifiable from the CCTV is the main issue here. It is widely accepted that individual customers cannot be identified from CCTV alone, and therefore there is no ‘personal data’ to be the subject of the Act.

An area of difficulty could be where CCTV is used in conjunction with other marketing methods, such as phone tracking and/or location-specific messages. This could potentially give rise to a situation where an individual could be identified (for example, in a larger store during a quieter time when they are the only shopper in a particular department).

A possible way around this may be to segregate the way each system is run so that the information cannot be amalgamated to form identifiable personal data.

Facial scanning

Video screen adverts are not yet as widely used as other new technologies. It has been argued that the face-reading screens are less intrusive than CCTV monitoring, but opinion is divided and as the approach from the ICO is not clear, considered privacy design is paramount.

Associated applications

Retailers may integrate with applications made by third parties – e.g. payment providers. It is essential that the correct protocols are put in place for the transmission of personal data from the retailer to the third party.

The obligation to keep personal data secure

The Act provides that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. Where a system is hacked or an employee leaves their laptop on the train, with unencrypted personal data on it, there is on the face of it a breach of this principle. With the increasing accumulation by retailers of personal data, necessarily held online, the costs of a breach can be devastating: customers whose bank details have suddenly become available online will not be in a forgiving move towards the retailer whose defences have been breached.

As a retailer, what do I need to do?

Talk to the customers

Customers want to know how their data is being used, to understand the purpose and benefits of data sharing and how secure their data is. With these concerns in mind, it is essential that customers are kept informed about how their behaviour is being tracked both in-store and elsewhere and how their data will be used. Retailers should be upfront about what monitoring they will be doing and explain the benefits to the customers and how their anonymity will be protected – at appropriate junctures in the sales (and non-sales) journey.

Give customers the opportunity to say no

Where personal data is going to be collected and processed, customers should be given a clear, fair and unconditional way to opt out of this; retailers should ensure that they obtain compliant consents from customers to process or share their data and certainly before it is used to issue direct marketing.

Think twice before transferring personal data overseas

We have written separately on the risks involved with transfers of personal data overseas, particularly to the USA, and particularly following the ruling of the Court of Justice of the European Union declaring the so-called “Safe Harbor” (which enabled transfers of personal data to the United States) invalid.

Data security is a boardroom matter

Operational responsibility will doubtless reside below board level, but a first step towards effective data security is to recognise that it is not something that can be left to the “geeks in the basement” and individuals should be appointed to manage data security with direct reporting lines to the board.

Conduct a risk assessment

You should review where personal data is held; whether any of the data is “sensitive” (and therefore should be subject to enhanced security measures, such as encryption); as well as the effectiveness of systems’ security. Where personal data is transferred to a data processor, including cloud providers, there must be a written contract in order to comply with the Act, and the terms of that contract should be reviewed to ensure the data processor is obliged to maintain the data securely and process it in accordance with the requirements of the Act.

Create an incident report plan

If a data breach does occur, directors and relevant staff need to know what to do.  Legal counsel and PR staff should be involved. A clear strategy needs to be devised – before things go wrong – for informing both consumers and regulators. Following the Talk Talk breach, the ICO criticised the company for a delay in notification of the incident.

Staff training

Train staff on their data protection responsibilities and policies adopted. For example, employees are increasingly bringing their own devices to work. This creates data protection risks and staff should be trained on what those risks are and how to manage them.

How can Walker Morris help?

We regularly advise retailers developing data protection compliance strategies, obtaining ICO registrations and the collection and transfer of data internationally with a view to minimising the risk of breaches and ICO enforcement. We provide specialist advice to our retail clients on marketing via post, email and text along with website compliance and internet sales and regularly work with clients on the exploitation of databases including electronic marketing initiatives.

We can talk to you about the specific regulatory requirements facing the retail sector and how to put in place appropriate policies and procedures to deal with the threat of cybercrime. We can also assist in auditing your key supplier and customer contracts for cybercrime risks and update your employment policies and service contracts.