By Ivan Ivanov, Access Partnership
Technology has transformed the retail industry from top to bottom. With mobile applications, social media platforms, and data analytics, retailers have increased their customer reach and improved their operations. With increased digitalization, however, the sector is exposed to data privacy breaches. In turn, national and regional regulatory bodies have required companies to adopt appropriate measures to protect consumer data.
Of these, the six-month old EU General Data Protection Regulation (GDPR) has proved to be the biggest regulatory challenge for retailers and e-commerce platforms, with fines of up to EUR 20 million or 4 percent of annual global turnover (whichever is higher). Despite the harsh consequences, though, companies has made mixed efforts to comply — as little as 20 percent of U.S. and EU companies felt GDPR-ready in July, one month after the law came into effect in May 2018, while 65 percent of U.K. consumers believed the law had made no difference at all three months on.
Before, most consumers simply accepted the terms of conditions of opt-back-in emails without reading them. Since the GDPR, we’ve seen the increasing prominence of lengthy privacy notices on online platforms. But in both instances, the supplied explanations failed to provide consumers with a better understanding of, or control over, how their data is used. Clearly, companies need to be more transparent and develop simple, concise privacy statements.
While early enforcement has focused on big tech companies, retailers can’t get comfortable. The law applies to all organizations processing consumer data of EU citizens, regardless of the company’s location or sector. In short, the GDPR has established unprecedented regulatory attention on companies, and retailers must understand their obligations and exposure to liability.
Because the GDPR fines are retroactive, companies must adhere to best practice as they wait for the first test case and gain insight on the law’s implementation. Retailers need to be prepared. They must determine what data they have and what are their rights to use it. Transparency, accountability, and good faith will be the best defense against scrutiny from regulators or the public.
For those already struggling to familiarize themselves with the GDPR, the EU ePrivacy Regulation and even a U.S. privacy law are waiting around the corner. The ePrivacy Regulation is an update to 2011’s “Cookie Law” that required disclosure of tracking cookies used on websites. It aims to protect the privacy of electronic communications and is partially designed to stop the use of customer data to provide targeted advertising. The highly visible impact on retailer targeted advertising and e-commerce, means the progress of this Regulation should be closely watched.
In the U.S., a federal privacy law might not see the light of day any time soon. However, the growing push for a federal privacy regime by lawmakers demonstrates a keen interest in protecting cross-border data flows. In short, compliance with existing and future global requirements (and their interpretations) will be ongoing challenge for retailers for the foreseeable future.
Fortunately, these obligations offer a silver lining for retailers. Consumers today demand accountability and a trustworthy environment to foster a long-term brand-consumer relationship. A comprehensive data protection framework will therefore add value to a retailer’s business. Beyond technical measures, data protection measures should include compliance, engagement with industry groups like information sharing and analysis centers, government relations in key markets, and collaboration with technology, payment, and related industries.
About The Author
Ivan Ivanov is the Marketing Manager of Access Partnership, a global public policy consultancy for the tech sector, driving marketing and communications strategy to build media and stakeholder engagement around key tech policy issues. With a strong business intelligence background, he supports organizations with research projects and advisory services. He can be reached at firstname.lastname@example.org.