Monitoring customer behaviour holds appeal for retailers. However, the collection of customer data may give rise to

difficulties especially in relation to privacy and security. Louise de Gier and Joost Gerritsen reveal what is legally permitted and

what is not. How far may retailers go when using tracking technologies?

by: Louise de Gier and Joost Gerritsen, Photo: ANP – Originally published in: Automatisering Gids, June 2015

Customer tracking in the retail sector

E-commerce has featured

prominently amongst retailers

during the past decade: there has

also been a need to serve customers

online. This has had to be done

through a web shop, for example:

from bricks to clicks. These

developments have yielded online

retailers a treasure trove of detailed

information on their customers and

the latter's spending patterns. At

present retailers are seeking to

obtain an identical degree of insight

into their customers by using

tracking technologies in their own –

brick and mortar – shops. With their

aid it is possible for a retailer to

determine the number of customers

in their outlet and monitor their

movements. However, such

customer data collection raises a

number of difficulties, especially in

relation to privacy and IT security.

The retail sector already makes

widespread use of shop and street-

level data. In the Netherlands there

are department stores which use

beacons and other technologies to

present offers to repeat customers.

A customer heading for the checkout

is then approached by a charming

young lady asking them to proceed

to a special cash register, where they

receive a gift as a valued repeat

customer. Such a customer is

recognised by a beacon in the shop.

In addition, "beacon cover" is

available in shopping precincts and

even entire towns. The Frisian town

of Grou has comprehensive beacon

cover, according to the initiators. It

involves 60 businesses. The shopping

centre, Les Terrasses du Port, in

Marseille in the south of France has

as many as 190 participating

retailers and catering operators. In

such areas shoppers are exposed to

promotions which vary from issuing

coupons to giving away welcome

groceries and product information.

Retail data flows are also evident

elsewhere. For example, in the

clothing industry customers are

provided with a body scan to help

them find clothes that fit. Other

accessories can be displayed with

the aid of a mirror fitted with an

FRID tag. Manufacturers are also

inserting data in chips. In this way it

is possible for certain appliances to

indicate when a new part needs to

be replaced.

Little concern

By employing these technologies

retailers are learning a great deal

about their customers. Little concern

is evident amongst the general

public in relation to this. The

majority of consumers are prepared

to sacrifice privacy in exchange for

appropriate, personalised offers.

This has been shown in a survey of

2000 consumers conducted in the

United States of America and the

United Kingdom. Two thirds of the

respondents felt it important to

receive offers and were willing to

sacrifice privacy in return. Other

studies reveal that as many as 89%

of global consumers opt for a

retailer that is able to provide

personalised discounts or offers.

Nevertheless, it is exceptionally

important for retailers to exercise

care when "selling" personalised

offers to consumers. Various

retailers have experienced this,

including the American retail chain,

Nordstrom.

Nordstrom informed its customers

that their location details were being

monitored. Consumers were able to

specify that they did not wish to

assist with this by opting out.

Nordstrom received too many

adverse responses and consequently

stopped doing this in 2013. The

same happened to the American

chain of coffee outlets, Philz Coffee,

which also halted Wi-Fi tracking in

April 2014.

It goes without saying that shoppers

should be informed of any tracking

technologies which are used with

the aid of signs or stickers. However,

doubts may be raised in relation to

the impact of such signs. An

American study reveals that alerts

addressed to consumers in shops are

barely noticed. What is appropriate

for a personalised service is the

provision of personalised

information. For this reason it is

advisable to provide information to

customers on a one-on-one basis

where possible. In the case of

passive tracking technologies signs

are the only practical solution for the

time being (see the box). On the

other hand, where active tracking is

involved an app may be used to

request a customer's consent and

information may be provided as to

what will happen to the relevant

data. This also applies in the case of

any social media or a website of a

shop or retail chain which is used to

provide personalised offers, stating

that the relevant data will only be

used by the shop or retail chain

concerned.

Continued on the next page…

Monitoring customers legally

The most important legal principles allowing customers to be monitored

legally in a shop are mentioned here. They are general principles. In each

case one must assess whether the technology that is employed and the

manner in which the data is used are legally permissible.

• Personal data: most tracking technologies use the MAC address of a

smartphone or some other device. According to the CBP, MAC

addresses represent personal data and the Wbp applies.

• Tracking customers in one's own shop: a customer's consent is not

always required in this case. A shop owner may consider it to be in its

own legitimate interests to collect data, provided that those interests

outweigh those of the consumer, including the latter's interest in

having their data protected. According to the relevant minister, Kamp,

it is in a retailer's legitimate interests to determine the number of

visitors to their shop and to monitor shoppers' movements, provided

that this is not combined with other personal data. Although this

opinion is not law, his comment does constitute a significant guideline

for shop owners.

• Tracking customers in public areas: if data is to be collected from

passers-by in public areas outside a shop, their consent must be

sought. This is because passers-by should not need to suspect that

they may be tracked. In this case a passer-by's interest in privacy

outweighs the retailer's interests.

• Inform customers properly where possible: the privacy regulator, the

CBP, believes that customers must always be informed about data

processing with the aid of tracking technologies.

• Make it possible to opt out: where data processing is required in a

business' interests and the infringement of privacy would be limited, a

retailer need not first seek consent, provided that an opt-out option is

available. If monitoring occurs for statistical reasons, customers must

be able to use such an opt-out feature to opt out, according to the

CBP.

• Consent required for profiling purposes: the CBP states that, where a

retailer wishes to profile its customers, they will need to seek the

latter's consent.

• Comply with the rules governing cookies: the rules governing cookies

set out in the Telecommunications Act [Telecommunicatiewet] may

also play a role, for example, as soon as information is sourced from a

smartphone with the aid of an app or some other device belonging to a

customer.

Security

Apart from this, too little attention is

still devoted to security in spite of

the fact that businesses have a legal

duty to ensure that personal data –

for example, personal data sourced

from smartphones or other devices

– is properly secured against leaks or

any form of unlawful data

processing. If it becomes known that

data has been hacked, 12% of

consumers opt out while a further

72% are adversely affected. Other

research reveals that 23% of

consumers no longer use a credit

card, once it has been hacked. The

policy pursued by retailers in this

respect is often too limited,

confining itself to fraud involving

payments. More attention needs to

be devoted to insurance and the

training of staff, who often

represent a weak link in relation to

security.

This is particularly relevant, because

data is stored in various ways. A

customer's MAC address is localised,

once their smartphone Wi-Fi facility

goes in search of a network or this

occurs with the aid of an app

supplied by the relevant retail outlet

itself. In this case the consumer

consents to this. Such an app utilises

beacons.

Anyone who tracks customers with

the aid of technology is very readily

involved in personal data processing.

For example, this may occur through

the MAC address of a smartphone or

some other device belonging to a

customer. In such a case a retailer is

required to comply with the

Personal Data Protection Act [Wet

Bescherming Persoonsgegevens]

(Wbp). The Dutch Data Protection

Authority (CBP) regulates

compliance with such legislation. It

accords priority to tracking and

tracing especially in relation to the

requirement that customers be

properly informed. In addition, the

CBP examines whether consent has

been requested appropriately and

whether an adequate opt-out

alternative has been offered. It is

important that retailers comply with

the regulations, more so now that

the CBP will be acquiring greater

powers in the future, including the

power to impose stiff fines.

Legal issues involving tracking technologies

In legal terms passive technologies are the most problematic, because customers are barely able to exercise any choice as to

whether they wish to be monitored by a retailer or not. It is also an open question as to whether a customer can be clearly

informed about data processing. In legal terms active technologies may be reconcilable with privacy legislation as long as the

customer retains control over their data, can give their consent (for profiling, for example), can halt any data processing if

required (opt-out) and can decline any personalised services. In addition, other privacy principles, such as those pertaining to

data security, must also be observed and data must not be stored for longer than is necessary. In his analysis, the chief

technologist of the American regulatory authority, the Federal Trade Commission, concluded that the legal issues may vary

from one tracking technology to another. His analysis has yielded the following overview (see the table).

Technology Identifiers Employed Provision of Information to Customers and Option

to Seek Consent

Active Wi-Fi Wi-Fi MAC address Provision of information about tracking during the registration process

(for example, when logging in to a Wi-Fi hotspot). Option to choose,

for example, with the aid of a smartphone.

Passive Wi-Fi Wi-Fi MAC address Provision of information with the aid of signs or stickers. Options

confined to turning off one's smartphone or other device.

Active

Bluetooth

Depends on the

app used and

the features of

the operating system.

Information about tracking in the privacy terms and conditions as part

of the relevant app installation procedure. Option to choose, for

example, with the aid of a smartphone.

Passive

Bluetooth

BT MAC address Provision of information with the aid of signs or stickers. Options

confined to turning off one's smartphone or other device.

Louise de Gier is a lawyer and

partner with the firm of De Gier

| Stam Advocaten specialising in

big data and privacy

(louisedegier@degierstam.nl).

Joost Gerritsen (twitter:

@JBAGerritsen) works as a

lawyer for the same firm. He

also specialises in big data and

privacy (www.degierstam.nl).