The retailer's guide to Big Data
Retailers have long known the value of collecting and using customer information for internal analytics and marketing. Indeed, for decades, retailers such as grocery and drug stores have benefited from the vast amount of data generated by customers using their loyalty discount cards to save on their food, toiletry and related purchases. With advancements in technology, retailers now have access to more information than ever about their customers, not only from their own collection practices, but from third parties as well. But with the exciting potential for the use of this data, retailers need to be aware of the legal and reputational pitfalls that come with maintaining and using these treasure troves of data.
A Bridge Too Far
Retailers have historically used information collected about customer purchases to mail them targeted advertisements and coupons based on these purchases. But these efforts can backfire if the practice is pushed too far, as one major discount retailer learned when it used information from customer purchases to determine that certain customers were pregnant or were planning on becoming pregnant, and began sending them coupons for products typically used by women in early pregnancy. This incident resulted in adverse press reports and consumer outrage but no viable legal actions. But the message was clear: exercise caution when using customer data. The “best” idea may not always be the most prudent. Consider your reputation.
Inside Track
As technology continues to develop at breakneck pace, retailers are able to gather more information than ever about their customers. Not just what they buy, but what they pick up, look at, and don’t buy. With the use of RFID trackers and in-store cameras, retailers have more insight than ever into how consumers navigate their floor, how long they stay, and whether they shop alone or with others. While much of this data may be nonpersonal and combined with other guest experiences in an anonymous manner to provide store usage analytics, some retailers are already using facial technology to identify particular individuals and linking into guest mobile phones via their Bluetooth. As above, using technology to collect guest data provides many advantages, but consideration must be given to balancing such use and your guests’ privacy. A starting point is providing guests with notice of your in-store data collection practices, preferably at the entrance and other conspicuous locations throughout the store. No doubt there will be laws in the near future addressing these practices.
Data Breaches
It's not if but when. These are the dreaded but true words facing every company that collects and maintains consumer information. Sadly, as much as anyone can do to protect data from unauthorized access, hackers will always be one step ahead of the game and find a way in. Whether through free wifi or a vendor network, retailers are under constant cyberattack for the vast amounts of valuable data they maintain on their customers, including credit cards, a hacker’s grail. And lawmakers aren’t making it any easier for retailers as the federal government and several states have begun introducing laws that would hold merchants responsible for breaches, including reimbursing consumers for costs and expenses incurred as result of a breach. In addition, several of these laws also seek to place prescribed data security standards on all companies that hold consumer data, which would expand regulatory oversight to the general retail industry from the current framework for financial institutions and health organizations under the Gramm-Leach-Bliley Act and the Health Information Portability and Accountability Act, respectively. The absence of a general, national data security law has not, however, hindered the Federal Trade Commission from investigating and suing companies that don’t, in the agency’s opinion, provide adequate protection for their guests’ information. Despite its inability to cite a single particular data security law or regulation in its complaint, the FTC sued Wyndham hotels for failing to adequately protect their guests’ information following the hotel chain’s third data breach. Rather than lie down and settle the FTC’s charges, which is how over 90% of these cases end up, Wyndham chose to fight the FTC, claiming that it has no statutory authority to bring the claim, as Congress has not granted the agency any power to develop specific data security standards for companies that maintain nonsensitive data. For now, the case continues with the court urging both sides to settle.
Sing Me a Song
Several states have enacted laws that prohibit either requesting or requiring a consumer to provide any personal information as a condition of paying with a credit card. As it does in many consumer protection areas, California was the first state to enact this type of law, known as the Song-Beverly Act, in an effort to curtail retailers from collecting contact information from consumers for marketing purposes. Many states followed suit enacting similar laws, and the plaintiff’s bar was not far behind, filing an astronomic number of consumer class actions under these laws, seeking millions of dollars in “damages” from unwitting retailers.
One example of how far this law has gone is exemplified by a California court decision finding that a ZIP code is personal information since it, when combined with other databases available to the general public, will allow contact with a particular consumer. What’s a Store to Do? With all of the issues facing the industry today, what can retailers do to protect themselves in an ever-challenging privacy environment? For starters, retailers can take guidance from an FTC 2012 staff report on privacy, where it laid out a road map for establishing strong and meaningful privacy and data security policies and procedures.
First, embrace the concept of “privacy by design,” which means incorporating sensitivity to privacy concerns into every new business idea and throughout the life cycle of its implementation. It also means inviting all stakeholders to the table to offer their two cents on how consumer information will be collected, used, shared and protected. While obvious players include legal and IT, other invitees should come from marketing, sales, vendor relations, compliance, and the like. Once gathered, all stakeholders need to decide what the goals are for the intended business plan and how policies and procedures to use and protect the collected information will be implemented. Legal departments need to determine whether any laws apply and how compliance will be achieved. Second, only keep information for as long as reasonably needed. While the marketing department will no doubt balk at this suggestion, the FTC advises that keeping consumer data beyond its useful life simply puts the data (and the company) in jeopardy of a breach. Obviously, these issues will need to be discussed and negotiated. Third, legal will need to determine whether consumers should have access to the information collected about them and an opportunity to review and update such information, if warranted. While this requirement will likely only apply to online data collection practices, if married with offline data, consumers may have a right to view this information. Last, Protect, Protect, Protect. Do not skimp on data security measures. In this day and age, “too much” security is not enough. While there are various legal issues implicated by a data breach, the reputational concerns and public view of your company will far overshadow the costs of cleaning up and containing the fallout.
Marc Roth is