It has been a busy year for data privacy with significant regulatory action and interesting developments relevant to the luxury and retail industries. As we are all aware, personal data is an extremely valuable commodity to the luxury and retail industries and therefore it is important to understand the trends and pitfalls to be aware of when you are dealing with this important asset.
Trends:
Direct marketing
The UK data protection regulator (the ICO) has been very active in the area of direct marketing and issued a number of fines over the past year including to some well-known names (including American Express (£90k), Saga (£150k), We Buy Any Car (£200k) and Sports Direct (£75k)) for contravening the direct marketing rules. These fines were issued for reasons we see time and time again in relation to direct marketing, including mislabelling a “marketing” email as a “service” email and therefore not having an appropriate lawful basis, not having valid consent from a subscriber and not fully satisfying the requirements of the UK soft opt-in rule. If you are a retailer sending marketing communications, you will be fully aware of the nuances of such communications and these fines emphasise the importance of getting it right.
Further it is not just email marketing that has caught the eye of the regulator, other forms of targeted advertising using personal data remain under intense scrutiny. In 2020 we saw guidance issued at EU level by the European Data Protection Board (EDPB) on social media retargeting and we believe it is only a matter of time before we see enforcement action off the back of this. The ICO has also reopened its investigation into the adtech industry following significant pressure by privacy activists and there has been a lot of noise with various EU institutions around the lawfulness of online behaviour advertising with some MEPs calling for an outright ban. Although there has been some relatively significant action against advertisers in this space so far (e.g. Grindr suffering a €6m fine by the Norwegian DPA), we are also awaiting the outcome of some other very significant investigations by various EU regulators so this will certainly be an interesting space over the coming year.
Transparency
The Irish Data Protection Commissioner (DPC) imposed a record €225 million fine on WhatsApp Ireland Limited for breaching the GDPR’s transparency obligations “with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service”, including information about the processing of individual’s data between WhatsApp and other Facebook companies. Aside from the eye watering amount, this case is also interesting because the EDPB stepped in and required the DPC (who has a reputation for being a more lenient regulator than its continental counterparts) to reassess its initial fine and come back with a number with more bite. Transparency has always been a key accountability principle under the GDPR and now we have seen the consequences of getting it wrong.
Children’s data
In September 2020, the ICO issued its Age Appropriate Design Code, otherwise known as the Children’s Code. There was a 12-month transitional period for organisations to comply with the Code, which ended on 2 September 2021, meaning we are now in the enforcement phase and the ICO may take action. The Children’s Code translates the GDPR requirements into design standards for online products and services which are ‘likely to be accessed by children’ (i.e. anyone under the age of 18). It has a wide scope and failure to comply can lead to compulsory audits, processing bans and fines, and of course reputational damage. Increasingly, where organisations are processing children’s data within the scope of the Children’s Code, they will need to ensure they have appropriate protective measures in place, including geolocation off by default, age appropriate transparency and default settings. This will likely involve a significant technical change for a lot of organisations and most are at the beginning of their journey, albeit with a roadmap detailing how they will comply.
Cookies
Historically, cookie compliance has been the elephant in the room. Most organisations know they are getting it wrong but are reluctant to address it. However, all retailers, especially with the increased importance of e-commerce, will be aware of the requirement to obtain consent for non-essential cookies. There has been an increased focus on the use of such cookies, including an EDPB task force especially set up to address cookie law compliance and complaints around cookie banners, and market leaders such as Apple and Google implementing technologies with restrictions on the ability of organisations to use cookies. It is getting more and more difficult to avoid compliance both from a regulatory scrutiny perspective and a commercial perspective, not to mention the increase of nuisance litigators.
Regulator focus on AI
Over the past couple of years, there has been an increased regulatory focus on how personal data is affected by AI. Last year, the ICO reviewed and updated its co-badged guidance with the Alan Turing Institute which is aimed at giving organisations practical advice when implementing an AI solution. Cutting edge retailers will no doubt be considering AI/VR options, not just in respect of online and in store to enhance customer experiences, but also in respect of its supply chain to drive efficiencies. Despite the increased guidance, this is still a relatively uncertain area from a compliance perspective and implementing AI solutions is still fraught with legal challenges.
Supply chain breaches
Data breaches continue to make headlines with some notable household names being the victims of sophisticated hackers. However, there have also been breaches resulting from supply chain wrongdoing. For example, Audi and Volkswagen were left exposed after one of their vendors did not adequately protect the data of 3.3m customers. Although we have yet to see material action arising from this breach, this incident reiterates the importance to retailers of the need not just to keep on top of their own security but also the security of their respective supply chains.
Class actions
Finally, in the major case of Lloyd v Google, it was held in November 2021 that the UK’s first ‘opt-out’ data class action would not be permitted to go ahead. This will have an impact on other defendants against whom representative proceedings had been brought using a similar M.O., on matters ranging from data breaches to use of children’s data and cookies. While it is the end of the road for this claim, the door has been left open for a two-stage process, something that will give food for thought to claimants and their legal teams.
Things to be aware of going forward:
- If we haven’t drilled it into you enough – Transparency. Is. Key. You must be clear with data subjects how you intend to use their data, and if you are caught within the scope of the Children’s Code, make sure your transparency is age appropriate.
- If you are caught by the requirement of the Children’s Code, you should be taking active steps to achieve compliance in line with your roadmap. The protection of children online is high on the government’s agenda and will be a key area of focus for the regulator now we are out of the transition period. As the ICO has released various guidance, we suspect it will take a relatively dim view of organisations’ lack of compliance in this area.
- If you are exploring the use of AI and VR solutions, both in store and online, as well as within your supply chain, ensure appropriate attention has been given to the data privacy risks associated with those solutions, particularly in light of the fact you will be likely processing significant amounts of potentially more ‘sensitive’ data. Mapping and documenting your decisions around these data privacy risks will be key to ensuring you remain on the right side of compliance.
- Regularly review and stress test your security measures, both technical and organisational, to ensure that your data remains secure. This does not just mean ensuring you have the best antivirus software in place. You should be regularly looking at your internal practices and ensuring people within the organisation are taking appropriate steps to protect personal data, such as password protecting documents, locking laptops, only sharing personal data on a need to know basis and disposing of personal data appropriately. Whilst you might not be able to protect against every hacker, it is important not to let yourself be exposed.
- Even if you have a great privacy compliance and security framework, you will still be sharing data with your suppliers and for the most part you will be responsible for how they treat the data you share with them. Supply chain management is imperative – from carrying out vendor due diligence (and actually checking the responses not just sending a checklist), ensuring you have a robust contract in place with appropriate data protection provisions, carrying out regular audits and security assessments, providing breach training, and ensuring you have the appropriate internal procedures in place to manage vendors.
- In light of the recent marketing fines and ICO direct marketing guidance (albeit still in draft form at the time of writing), review your marketing strategies (including loyalty programmes) to ensure they remain compliant. Now more than ever luxury retailers need to really understand, and connect with, their customers and therefore it is more important than ever that all marketing strategies respect the key privacy by design principle that underpins our existing data protection law. In particular, when deploying new strategies that combine first party and/or third party data sets, for example your own customer list being combined with a third party data set in order to enrich your data, careful consideration needs to be given to the associated data privacy risks and data protection impact assessments (DPIAs) should be carried out to demonstrate those risks have been considered and mitigated against appropriately.
- If you are carrying out social media retargeting and/or online behavioural advertising, the regulator has been clear that you cannot just leave it to the service provider to ensure compliance. You must engage with the social media and advertising companies appropriately and be aware of your data protection responsibilities, including carrying out a DPIA if required (which it likely will be). Finally, you should ensure appropriate consents have been obtained in respect of any online or device tracking you carry out in respect of this activity.
By Bryony Long and Tamsin Hoque, Data – Lewis Silkin
Request a PDF copy of our Business in 2022 report.
Want to join The Collective, and contribute to the debate?
Email us at: The.Collective@lewissilkin.com