Consumers are increasingly demanding a more personalised shopping experience online, but new research reveals two thirds (67%) of UK consumers are concerned about how brands use their personal information, such as their name, email, location, and marital status. The same proportion (66%) worry their personal data security could be compromised by the latest IoT gadgets, including smart watches, fitness trackers, and home devices such as Amazon’s Echo.
These statistics are a worry for brands who rely on customer insight to tailor their services. Further to this, brands face a challenge in restoring confidence among shoppers with GDPR enforcing an opt-in/opt-out policy for consumers. Retailers are scrambling for answers on how and why they need to change their methods of data collection and management to meet the privacy requirements but one thing is clear – consumers will be empowered to say “no” when targeted with irrelevant marketing material. And more importantly, retailers will have to listen.
The digital world is set for change. Retailers will no longer be able to target and connect with consumers online in today’s carefree manner once the European Union’s new General Data Protection Regulation (GDPR) comes into force next May.
So, when does “yes” mean “yes”?
This is a serious question that retailers need to be addressing. They should sit up and listen to their customers when they say enough is enough. However, there is still a business to run and we know that data has become a retailers most valuable asset in the digital age. With GDPR’s requirement that consumers must specifically opt-in for all uses of their data, and must be given unrestricted rights to opt out, retailers need to think and act clever in order to prevent a mass exodus of their customers and prospects.
Retailers must stop seeing people as just numbers, but as individuals with their own digital identity. By persuading visitors to identify themselves at the point of site entry via registration, retailers can tie demographic, interest and behavioural data to these individual identities. However, the big pay-off is in being able to continually ask contextual questions which enhance the user journey, an approach called progressive identity. Online retailers, for example, can allow shoppers to gradually build a profile based on dress size, favourite designers and colours, giving consumers the power to share only the data points that they believe will provide them with the best value exchange, and making sure they know exactly where to go to update or edit these permissions, ensuring personalisation never comes as a surprise.
Above all, it is important for retailers to define and manage consent when GDPR is implemented, to not only stay compliant but to build trust and enhance relationships at a time when reputation is well and truly on the line.
To do this, retailers must fully understand what is meant by ‘consent.’ GDPR sets a high standard for consent, meaning people will be offered genuine choice and control over how their data is used by companies. Consensual data helps retailers build trust and enhance their reputation.
How will this impact retailers?
For a start, a review of legacy consent mechanisms will be required. Retailers will need clear and more granular opt-in methods, authoritative records of consent, and simple easy-to-access ways for people to withdraw consent. This revolution in data consent reflects a more dynamic view on the importance of permission based data, treating it as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.
Despite there being a business requirement to improve the consent process, there are still several areas of GDPR that call for more guidance, mainly in what will be an accepted user interface. Different requirements can have significant impact on business performance of registration pages and beyond. A few examples of GDPR requirements are:
1. Keeping consent requests separate from other terms and conditions. The ambiguity here opens the door for retailers to question what this means they need to do. Does this require separate check-boxes for the general terms of service and for consent? Can consent to specific data uses not be contained within the terms and conditions or terms of service on a site?
2. Named consent. The guidance requires naming third parties used by the retailer. Large enterprises are often using tens of services to fulfil their business needs, from analytics services to customer identity and access management (CIAM) solutions. Will it be sufficient to present these in a consent statement linked from the registration page?
3. Alternatives to consent. It seems it will be helpful to further detail retailers can determine if they can process personally identifiable information (PII) based on ‘legitimate interest’ rather than on consent.
These questions are a few of many. For retailers to successfully implement correct consent requirements, there needs to be some clarity of ‘consent granularity.’ Many retailers will want to know what level of granularity will be acceptable. For example, will online registration pages need to include three to four check-boxes representing permission to use PII for services such as product recommendations, email marketing, loyalty programs, and so on?
As more time elapses, we will need to see how ’general’ concepts of the GDPR will be turned into black-and-white rules that retailers can follow to achieve GDPR compliance and put in place the best way to get data customers have consented to sharing.
At this stage, retailers need to focus on what they need clarity on, and to fully understand what consent under GDPR means for the business, its employees and its customers.
Richard Lack is managing director – EMEA at Gigya