Gayle McFarlane and Charlotte Walker-Osborn of Eversheds Sutherland discuss scan & go and similar technology deployments in a post GDPR world.
The following guest article has been written for InternetRetailing by Privacy and Technology Partner, Gayle McFarlane, and Partner and International Head of Technology Sector, Charlotte Walker-Osborn, both of Eversheds Sutherland.
Scan and go heralds a new era of efficiencies for both retailers and consumers. Consumers can forego the tills and the queues, avoid human interaction (if they want to), pay without needing to bring their card or carry cash, and reduce their wallet size by having their loyalty cards stored neatly on an app.
Retailers, on the other hand, may benefit from increase in customer through-put, customer satisfaction, reduced requirements to deal with taking payment in-store and increased insight into their customers’ behaviour.
But at the same time, retailers do need to consider the implications of the new General Data Protection Regulation/privacy laws, and consider whether their data collection is lawful. So, does the GDPR place limitations on these benefits, and do retailers need to do anything different to comply?
As users utilise scan & go technology, there is an opportunity for retailers to gain a huge amount of information about their customers. Since the launch of supermarket loyalty schemes, the inferences that retailers can draw and the ability to target promotions to customers who are most likely to increase their basket has been a major benefit.
Scan & go can add another dimension to this information. As well as being able to log customers’ purchases, retailers can potentially gather additional information about the journey to that final basket – what items were scanned but then swapped out, what order were purchases made in, and by consequence, what route did the customer take around the store. This information could be easily used to create more bespoke targeting, as well as understanding more about customer experience within your store.
Some retailers’ technology already takes scan & go one step further by getting rid of the scan element; instead using cameras, sensors, RFID and deep learning to understand when items have been removed from a shelf and purchased, again, collecting valuable information about how customers like to shop.
But, is this information personal data, and therefore governed by the GDPR?
In most cases, yes. Data associated with the scan & go activity will be associated with a user account. Even if retailers allow users to sign up with pseudonyms, the GDPR makes clear that any online identifier can be sufficient to identify an individual, and therefore any data connected to that identifier will be information about that individual. Whilst shopping habits are not “personally identifiable information” in a US context, meaning information which can identify an individual, they are information which relates to the identified individual in question. From a European data protection perspective, therefore, they are protected as personal data.
A key requirement of the GDPR – although not a major change from the previous data protection regime – is that retailers need to be transparent with customers about what they are doing with the data they collect.
“Just in time” notifications could be particularly key here – alerting or reminding shoppers of how their data will be used when they start to scan, or even letting people know that certain items won’t be logged, such as prescriptions or other health-related purchases. Customers could also be alerted to their rights – such as the right to object to their information being used for direct marketing – at key points in the transaction. All of this needs to be thought about with your web/mobile designers/your technology providers so that these notifications are built in at the right time.
The GDPR sets out a prescriptive list of the information which retailers are required to “make available”. But most importantly, customers are entitled to know not only what data is collected, but also what it is used for, and this includes what “lawful basis” the retailer is relying on for that use.
The “lawful bases” are specific – and exhaustive – purposes which are set out in the GDPR itself, with some additional support in the Data Protection Act 2018 for retailers in the UK. The lawful basis for using the data to calculate the total bill, or a refund is clear – the performance of the contract with the customer.
However, any further processing becomes less clear, and it is likely that the retailer will need to either get consent, or rely on a “fuzzier” basis, called “legitimate interests”.
This lawful basis applies where the processing is necessary for the legitimate interests of the retailer (or another third party, such as any brand partners), but it’s subject to a balancing test – it cannot apply if those interests are overridden by the rights and freedoms of the customer.
The GDPR specifically recognises that direct marketing may be carried out on the basis of legitimate interests. However, retailers still need to ensure that they are happy that the particular marketing in question is legitimate, necessary and proportionate to those interests, and not unduly intrusive. In particular, the ICO recommends that a three part test is applied, considering the:
The more intrusive the monitoring is, the more likely that these tests will not be met.
Obtaining consent automatically jumps these hurdles – but you need to be clear what you are obtaining consent for. Consent must be freely given, specific, informed and unambiguous. That’s a fairly high hurdle to meet so that the customer really understands what you are asking them to consent to.
Consent must also be separate from other matters and not bundled together – you can’t require someone to consent to profiling for direct marketing purposes, for example, in order to be able to use the scan & go service, because that profiling is not necessary for the use of the service and could be separated out.
Additional “lawful bases” are required if the data includes special categories of personal data. These will include information about health or religion, or racial or ethnic origin, as well as other related information. Pharmaceuticals could obviously easily reveal information of this nature, but whilst you may think that everyday groceries or consumer goods would not, it should be noted that inferred data may also fall within this category, and therefore a customer record which showed that only halal meat was purchased, or magazines aimed at a specific ethnic demographic, may well result in special categories of data being analysed.
Special categories of data are much more difficult to manage, as consent may be the only reliable lawful basis available – and a clear, specific and explicit (as is required for special category data) consent for this type of processing could be difficult to obtain.
Retailers, therefore, should carefully consider how and when data which could be special categories of data is collected, and what it is used for, to ensure that a lawful basis is available for any specific processing activity. Where possible, such data should not be used for any purpose other than the performance of the contract with the customer – selling them the goods and handling any returns.
Collecting this information is one thing, but the creation of a profile, and then the use of that profile to make decisions about individuals is also governed by the GDPR.
If your use of a profile alone will have a significant impact on your customer – for example by having a material impact on pricing or promotions, or eligibility for store credit – then the customer has a right not to be subjected to that unless you can demonstrate that it is necessary for the contract you have with the customer, or they have explicitly consented.
Careful consideration must therefore be given to the impact of any profile on the individual. If such decisions are made, you will need to provide a right of escalation to a human decision maker.
As many of you will know, scan & go and similar technologies can require the integration of a number of third parties, including payment processors or other smart technologies. It is vital, as with all contracts where personal data will be shared with multiple parties, to ensure that, to the extent that third parties are acting as your processor, appropriate contract terms are put in place, reflecting the mandatory provisions of the GDPR.
The key output of the GDPR is to put the customer in control of the way in which their data is used. If you are transparent and open about what processing is taking place, and allow customers to exercise choice, the GDPR will not prevent you from collecting and using this data.
The GDPR, however, does also provide customers with additional rights in order to keep retailers in check – and also to allow them to change their mind.
If your processing is based on consent, then individuals can withdraw that consent at any time. If you are processing personal data for the purposes of direct marketing, including profiling used for direct marketing, then an individual has the right to object to that processing no matter what the lawful basis is – and you are required to stop processing that data for direct marketing purposes.
In addition, customers have two rights to access their data. The first is the right to data portability. This means that to the extent a customer has given you their personal data, and it is processed automatically and on the basis of consent or to perform the contract with the customer, then they have a right to obtain this data in a commonly used machine readable format. Bearing in mind customers will be scanning all of their own purchases, some thought should be given to the extent that this right of portability might apply, and how it could be complied with.
Equally, customers have a right to access all of the personal data you hold about them. This would extend beyond simply the lists of purchases, but could also include any inferences you have made about them – any categorisation or segmentation applied to them.
In the tech market, many organisations are looking for ways in which these rights can be automated, to allow users to be able to “self-serve” this information, and some retailers are already following suit.
If you keep your customer, their expectations and the protection of their data at the heart of your project then there’s no reason why the GDPR would prevent you from implementing, and benefiting from, scan & go and all it can offer.
The information provided in the article is for general information purposes only and should not be relied upon as a detailed legal source.