Roll the clocks back to 25th May 2018. Many retailers were fearing the worst about the General Data Protection Regulation (GDPR), cue a string of last-minute website changes, consent emails being sent, and records removed from databases. Surprisingly, a December 2018 survey by IT Governance discovered that only 29% of firms in the EU are fully GDPR compliant.
If we look back, although GDPR stole much of the limelight, there were three other data protection regulations brought about at the same time, with the new UK Data Protection Act 2018, Data Protection, Charges and Notifications Act 2018, and the Privacy and Electronic Communications Regulation of 2003 (PECR), which goes to show how much of a challenge businesses face when it comes to data protection in 2019 and beyond.
In many cases, these regulations brought about the first time that retailers have had to think carefully about the data they collect, the purpose of this data, and what they do with it.
Retailers have had to start thinking about how to comply with new rules around having contracts in place with other organisations they share data with, such as marketing companies or web providers, alongside appointing representatives if they have data subjects in other European territories to comply with the new laws, demanding significant extra resource.
As if GDPR wasn’t enough of a challenge, the new ePrivacy regulation is set to put a spotlight on businesses, rather than the individual-focused GDPR.
You’d be forgiven for not knowing much about ePrivacy, as the regulation remains in European Parliament for approval, with decisions on it’s future likely being made in the Spring of 2019.
What you do need to know, however, is that ePrivacy will intensify the levels of consent retailers need to target their customers online, in an effort to provide greater transparency on personal data processes. Let’s look at the technologies that will be affected, and what it means for the retail industry:
If we dive into the text within the regulation, it states that:
“Currently, the default settings for cookies are set in most current browsers to ’accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ’reject third-party cookies’."
Now, this statement has been drafted due to “consent fatigue”, caused by the abundance of requests we now receive on a daily basis.
How many times do you think users simply click ‘Agree’ or ‘Disagree’ without really knowing what they’re doing?
This is the argument put forward in the ePrivacy regulation, as a result of some websites simply assuming content by nature of use, and others not effectively communicating what the cookies being placed will track.
It means that, to some degree, cookie tracking could be out of their control.
There is a pressure being put on browsers, such as Chrome and Safari, to provide ‘blanket consent’ options during installation. Granted, this would cut down on the number of requests received, but could also result in mass loss of data which could prove to be useful to individuals - such as saving items stored in shopping baskets.
However, the most likely scenario is that cookie consent and control will have to be made much simpler for online users, with a combination of clear language, simple explanation of cookies being used, and positive action needed for compliance. The result? A raft of website and policy updates.
We’re sure you’ll agree, following GDPR there hasn’t been a significant reduction in the amount of emails received on a daily basis. The ePrivacy regulation aims to address this, with a ban of unsolicited communication through a range of channels.
In the wake of GDPR, many retailers looked to their databases to either confirm the source of their consent to process data on an individual, or seek consent. The result was a huge drop in database sizes for the purposes of email marketing, and the ePR looks to extend the application of this further.
The most significant, and potentially most welcome change will tackle unsolicited phone calls. Marketing calls will now need to be identifiable, with a prefix that allows customers to identify who is calling them, and communicate withdrawal of consent if necessary.
Legitimate interest was deemed the saviour of many businesses GDPR efforts. This left room for movement in terms of communication, particularly surrounding assumed consent during ‘pre-sale negotiations’, for example.
There was also an argument for legitimate interest in existing customers. The ePR recognises this, but puts a time limit of 12 months on communications being allowed to be sent.
The long and short of this, is that while gaining consent was a focus of GDPR, it will be put under more scrutiny throughout the implementation of ePR. Ensuring there is a compelling reason that an individual should sign up to communications is more important than ever.
Back in 2017 we looked at how WhatsApp could be used by retailers, which alongside other behemoths of messaging platforms, including Facebook Messenger and Skype, have created a new era of conversational commerce.
These technologies are classed as “Over The Top” services, with their name being given to them because they are a layer above the traditional telecommunications network, which would commonly be used to achieve the same end-goal, communication.
Previously these services haven’t been bound by the same rules as network providers when it comes to data protection, meaning they can collect activity information such as location of a call, time initiated, etc.
As part of the new rules, OTT services will be bound by the same rules that networks are, meaning anonymisation of data is required of consent is provided, or deleted if not.
In all honesty, this won’t impact retailers beyond gathering a processing agreement from the platforms they use, which agrees to the applicable laws.
Ensuring this is in place, however, is essential. For smaller services, in particular, it’s important to make sure their practices are in line with the latest regulation.
As we saw with GDPR, there is a practical aspect to ensuring compliance in terms of putting measures in place to effectively handle the changes, and another in terms of ensuring policies and procedures are up to date should an investigation ever take place.
Ensuring these formal documents are up to date, covering the requirements of the latest regulations, is an essential aspect of compliance. And remember, this will apply whether the UK is part of the EU or not!