Customer tracking in the retail sector: how far may retailers go?
-
Upload
joostgerritsen -
Category
Retail
-
view
100 -
download
0
Transcript of Customer tracking in the retail sector: how far may retailers go?
Monitoring customer behaviour holds appeal for retailers. However, the collection of customer data may give rise to
difficulties especially in relation to privacy and security. Louise de Gier and Joost Gerritsen reveal what is legally permitted and
what is not. How far may retailers go when using tracking technologies?
by: Louise de Gier and Joost Gerritsen, Photo: ANP – Originally published in: Automatisering Gids, June 2015
Customer tracking in the retail sector
E-commerce has featured
prominently amongst retailers
during the past decade: there has
also been a need to serve customers
online. This has had to be done
through a web shop, for example:
from bricks to clicks. These
developments have yielded online
retailers a treasure trove of detailed
information on their customers and
the latter's spending patterns. At
present retailers are seeking to
obtain an identical degree of insight
into their customers by using
tracking technologies in their own –
brick and mortar – shops. With their
aid it is possible for a retailer to
determine the number of customers
in their outlet and monitor their
movements. However, such
customer data collection raises a
number of difficulties, especially in
relation to privacy and IT security.
The retail sector already makes
widespread use of shop and street-
level data. In the Netherlands there
are department stores which use
beacons and other technologies to
present offers to repeat customers.
A customer heading for the checkout
is then approached by a charming
young lady asking them to proceed
to a special cash register, where they
receive a gift as a valued repeat
customer. Such a customer is
recognised by a beacon in the shop.
In addition, "beacon cover" is
available in shopping precincts and
even entire towns. The Frisian town
of Grou has comprehensive beacon
cover, according to the initiators. It
involves 60 businesses. The shopping
centre, Les Terrasses du Port, in
Marseille in the south of France has
as many as 190 participating
retailers and catering operators. In
such areas shoppers are exposed to
promotions which vary from issuing
coupons to giving away welcome
groceries and product information.
Retail data flows are also evident
elsewhere. For example, in the
clothing industry customers are
provided with a body scan to help
them find clothes that fit. Other
accessories can be displayed with
the aid of a mirror fitted with an
FRID tag. Manufacturers are also
inserting data in chips. In this way it
is possible for certain appliances to
indicate when a new part needs to
be replaced.
Little concern
By employing these technologies
retailers are learning a great deal
about their customers. Little concern
is evident amongst the general
public in relation to this. The
majority of consumers are prepared
to sacrifice privacy in exchange for
appropriate, personalised offers.
This has been shown in a survey of
2000 consumers conducted in the
United States of America and the
United Kingdom. Two thirds of the
respondents felt it important to
receive offers and were willing to
sacrifice privacy in return. Other
studies reveal that as many as 89%
of global consumers opt for a
retailer that is able to provide
personalised discounts or offers.
Nevertheless, it is exceptionally
important for retailers to exercise
care when "selling" personalised
offers to consumers. Various
retailers have experienced this,
including the American retail chain,
Nordstrom.
Nordstrom informed its customers
that their location details were being
monitored. Consumers were able to
specify that they did not wish to
assist with this by opting out.
Nordstrom received too many
adverse responses and consequently
stopped doing this in 2013. The
same happened to the American
chain of coffee outlets, Philz Coffee,
which also halted Wi-Fi tracking in
April 2014.
It goes without saying that shoppers
should be informed of any tracking
technologies which are used with
the aid of signs or stickers. However,
doubts may be raised in relation to
the impact of such signs. An
American study reveals that alerts
addressed to consumers in shops are
barely noticed. What is appropriate
for a personalised service is the
provision of personalised
information. For this reason it is
advisable to provide information to
customers on a one-on-one basis
where possible. In the case of
passive tracking technologies signs
are the only practical solution for the
time being (see the box). On the
other hand, where active tracking is
involved an app may be used to
request a customer's consent and
information may be provided as to
what will happen to the relevant
data. This also applies in the case of
any social media or a website of a
shop or retail chain which is used to
provide personalised offers, stating
that the relevant data will only be
used by the shop or retail chain
concerned.
Continued on the next page…
Monitoring customers legally
The most important legal principles allowing customers to be monitored
legally in a shop are mentioned here. They are general principles. In each
case one must assess whether the technology that is employed and the
manner in which the data is used are legally permissible.
• Personal data: most tracking technologies use the MAC address of a
smartphone or some other device. According to the CBP, MAC
addresses represent personal data and the Wbp applies.
• Tracking customers in one's own shop: a customer's consent is not
always required in this case. A shop owner may consider it to be in its
own legitimate interests to collect data, provided that those interests
outweigh those of the consumer, including the latter's interest in
having their data protected. According to the relevant minister, Kamp,
it is in a retailer's legitimate interests to determine the number of
visitors to their shop and to monitor shoppers' movements, provided
that this is not combined with other personal data. Although this
opinion is not law, his comment does constitute a significant guideline
for shop owners.
• Tracking customers in public areas: if data is to be collected from
passers-by in public areas outside a shop, their consent must be
sought. This is because passers-by should not need to suspect that
they may be tracked. In this case a passer-by's interest in privacy
outweighs the retailer's interests.
• Inform customers properly where possible: the privacy regulator, the
CBP, believes that customers must always be informed about data
processing with the aid of tracking technologies.
• Make it possible to opt out: where data processing is required in a
business' interests and the infringement of privacy would be limited, a
retailer need not first seek consent, provided that an opt-out option is
available. If monitoring occurs for statistical reasons, customers must
be able to use such an opt-out feature to opt out, according to the
CBP.
• Consent required for profiling purposes: the CBP states that, where a
retailer wishes to profile its customers, they will need to seek the
latter's consent.
• Comply with the rules governing cookies: the rules governing cookies
set out in the Telecommunications Act [Telecommunicatiewet] may
also play a role, for example, as soon as information is sourced from a
smartphone with the aid of an app or some other device belonging to a
customer.
Security
Apart from this, too little attention is
still devoted to security in spite of
the fact that businesses have a legal
duty to ensure that personal data –
for example, personal data sourced
from smartphones or other devices
– is properly secured against leaks or
any form of unlawful data
processing. If it becomes known that
data has been hacked, 12% of
consumers opt out while a further
72% are adversely affected. Other
research reveals that 23% of
consumers no longer use a credit
card, once it has been hacked. The
policy pursued by retailers in this
respect is often too limited,
confining itself to fraud involving
payments. More attention needs to
be devoted to insurance and the
training of staff, who often
represent a weak link in relation to
security.
This is particularly relevant, because
data is stored in various ways. A
customer's MAC address is localised,
once their smartphone Wi-Fi facility
goes in search of a network or this
occurs with the aid of an app
supplied by the relevant retail outlet
itself. In this case the consumer
consents to this. Such an app utilises
beacons.
Anyone who tracks customers with
the aid of technology is very readily
involved in personal data processing.
For example, this may occur through
the MAC address of a smartphone or
some other device belonging to a
customer. In such a case a retailer is
required to comply with the
Personal Data Protection Act [Wet
Bescherming Persoonsgegevens]
(Wbp). The Dutch Data Protection
Authority (CBP) regulates
compliance with such legislation. It
accords priority to tracking and
tracing especially in relation to the
requirement that customers be
properly informed. In addition, the
CBP examines whether consent has
been requested appropriately and
whether an adequate opt-out
alternative has been offered. It is
important that retailers comply with
the regulations, more so now that
the CBP will be acquiring greater
powers in the future, including the
power to impose stiff fines.
Legal issues involving tracking technologies
In legal terms passive technologies are the most problematic, because customers are barely able to exercise any choice as to
whether they wish to be monitored by a retailer or not. It is also an open question as to whether a customer can be clearly
informed about data processing. In legal terms active technologies may be reconcilable with privacy legislation as long as the
customer retains control over their data, can give their consent (for profiling, for example), can halt any data processing if
required (opt-out) and can decline any personalised services. In addition, other privacy principles, such as those pertaining to
data security, must also be observed and data must not be stored for longer than is necessary. In his analysis, the chief
technologist of the American regulatory authority, the Federal Trade Commission, concluded that the legal issues may vary
from one tracking technology to another. His analysis has yielded the following overview (see the table).
Technology Identifiers Employed Provision of Information to Customers and Option
to Seek Consent
Active Wi-Fi Wi-Fi MAC address Provision of information about tracking during the registration process
(for example, when logging in to a Wi-Fi hotspot). Option to choose,
for example, with the aid of a smartphone.
Passive Wi-Fi Wi-Fi MAC address Provision of information with the aid of signs or stickers. Options
confined to turning off one's smartphone or other device.
Active
Bluetooth
Depends on the
app used and
the features of
the operating system.
Information about tracking in the privacy terms and conditions as part
of the relevant app installation procedure. Option to choose, for
example, with the aid of a smartphone.
Passive
Bluetooth
BT MAC address Provision of information with the aid of signs or stickers. Options
confined to turning off one's smartphone or other device.
Louise de Gier is a lawyer and
partner with the firm of De Gier
| Stam Advocaten specialising in
big data and privacy
Joost Gerritsen (twitter:
@JBAGerritsen) works as a
lawyer for the same firm. He
also specialises in big data and
privacy (www.degierstam.nl).