In May 2018, for the first time retailers have had to think very carefully about the data they collect, for what purpose, and how they process it, after being hit with the most significant changes to data protection laws in the UK for 20 years.
Three new regulations, including the infamous GDPR, were introduced simultaneously, which together with the Privacy and Electronic Communications Act of 2003 form the four sets of data protection regulations that retailers must comply with.
While around 20% of businesses report to be GDPR compliant, many are still in the process of implementing data protection techniques or are ignoring the regulation altogether, leaving them exposed to the potential for high penalties and perhaps even orders to stop using personal data altogether.
And if the changing data protection regulations in 2018 weren’t enough to take in, 2019 could become even more challenging. For example, a ‘no deal’ Brexit that would see the UK become a third territory from a data perspective. The most significant impact of this would be that all UK retailers that have customers in or from Europe will need to appoint a European Representative to comply with data protection laws.
Similar to the introduction of GDPR, we could see the introduction of the new ePrivacy regulation, which impacts marketing and tracking technologies that profile customers on a large scale.
You’d be forgiven for not knowing much about ePrivacy, as the regulation remains in European Parliament for approval, with decisions on its future likely being made in the spring of 2019.
What you do need to know, however, is that ePrivacy will intensify the levels of consent retailers need to target their customers online, in an effort to provide greater transparency on personal data processes.
Let’s look at the technologies that will be affected, and what it means for the retail industry:
A Simpler Method Of Providing Cookie Consent?
If we dive into the text within the regulation, it states that: “Currently, the default settings for cookies are set in most current browsers to 'accept all cookies'. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as 'reject third-party cookies'."
Now, this statement has been drafted due to “consent fatigue,” caused by the abundance of requests we now receive on a daily basis.
How many times do you think users simply click ‘Agree’ or ‘Disagree’ without really knowing what they’re doing?
This is the argument put forward in the ePrivacy regulation, as a result of some web sites simply assuming content by nature of use, and others not effectively communicating what the cookies being placed will track.
What does this mean for retailers? It means that, to some degree, cookie tracking could be out of their control.
There is a pressure being put on browsers, such as Chrome and Safari, to provide ‘blanket consent’ options during installation. Granted, this would cut down on the number of requests received, but could also result in mass loss of data that could prove to be useful to individuals — such as saving items stored in shopping baskets.
However, the most likely scenario is that cookie consent and control will have to be made much simpler for online users, with a combination of clear language, simple explanation of cookies being used and positive action needed for compliance.
The result? A raft of web site and policy updates.
Fighting Back Against Spam
We’re sure you’ll agree, following GDPR there hasn’t been a significant reduction in the number of emails received on a daily basis. The ePrivacy regulation aims to address this, with a ban on unsolicited communication through a range of channels.
In the wake of GDPR, many retailers looked to their databases to either confirm the source of their consent to process data on an individual, or to seek consent. The result was a huge drop in database sizes for the purposes of email marketing, and the ePR looks to extend the application of this further.
The most significant, and potentially most welcome change will tackle unsolicited phone calls. Marketing calls will now need to be identifiable, with a prefix that allows customers to identify who is calling them, and communicate withdrawal of consent if necessary.
What does this mean for retailers? Legitimate interest was deemed the savior of many businesses’ GDPR efforts. This left room for movement in terms of communication, particularly surrounding assumed consent during ‘pre-sale negotiations,’ for example.
There was also an argument for legitimate interest in existing customers. The ePR recognizes this but puts a time limit of 12 months on communications being allowed to be sent.
The long and short of this is that while gaining consent was a focus of GDPR, it will be put under more scrutiny throughout the implementation of ePR. Ensuring there is a compelling reason that an individual should sign up for communications is more important than ever.
WhatsApp, Facebook Messenger, Skype And More…
Now commonly used by retailers, the behemoths of messaging platforms, including WhatsApp, Facebook Messenger and Skype have created a new era of conversational commerce.
These technologies are classed as “Over The Top” services, with their name being given to them because they are a layer above the traditional telecommunications network, which would commonly be used to achieve the same end-goal — communication.
Previously these services haven’t been bound by the same rules as network providers when it comes to data protection, meaning they can collect activity information such as the location of a call, time initiated, etc.
As part of the new rules, OTT services will be bound by the same rules that networks are, meaning anonymization of data is required if consent is provided, or deleted if not.
What does this mean for retailers? In all honesty, this won’t impact retailers beyond gathering a processing agreement from the platforms they use, which agrees to the applicable laws. Ensuring this is in place, however, is essential. For smaller services in particular, it’s important to make sure their practices are in line with the latest regulation.
Ensuring Compliance In 2019 And Beyond
As we saw with GDPR, there is a practical aspect to ensuring compliance in terms of putting measures in place to effectively handle the changes, and another in terms of ensuring policies and procedures are up to date should an investigation ever take place. Ensuring these formal documents are up to date, covering the requirements of the latest regulations, is an essential aspect of compliance.
And remember, this will apply whether the UK is part of the EU or not!
Kieran McGeehan is Managing Director & Compliance/Data Protection Specialist at Univate. McGeehan has over 15 years of experience in data compliance, holding positions within businesses such as AXA Insurance, HSBC, The Co-Operative Insurance, and is currently chairperson of the Global Association of Data Protection Representatives.