A recent study by Vogue Business on retailers' use of customers' personal data demonstrates a significant mismatch between the personal data actually collected and shoppers' understanding of this.
The results from making data subject access requests to a number of retailers found that, as would be expected, they collect basic information from their shoppers (e.g. name, addresses and email addresses). However, the results also showed that they collect personal data about those same shoppers from other sources. Retailers are regularly combining basic data with information available on an individual's Facebook or Twitter account, personal data about that individual collected by other retailers (e.g. sister brands) and information about that individual from customer loyalty cards. Retailers may also collect technical information about an individual's navigation of their websites (e.g. product search terms, favourite designers, and how far down an individual scrolls on a particular page).
Whilst GDPR does not prohibit these kinds of data collection, certain obligations must be met. Articles 12 and 13 require data controllers (in this case, the retailers) to make clear, in a concise and intelligible form, their data collection and processing activities in their privacy notices to individuals. To the extent that data controllers deviate from their privacy notices, their data processing activities risk being deemed unlawful.
Of course, the advantage of collecting and analysing personal data is clear; more personal data typically means a more personalised and relevant offering to an individual. This is even more important within the luxury goods sector, where customer purchases are more infrequent and considered.
However, the risk arises where there is a difference between what individuals are told about the data activities and what actually occurs in practice. The report commented on a Deloitte study which concluded that there is a significant gap between "what retailers are using data for and why consumers think that it is being gathered".
To remedy this, retailers (and, indeed, all data controllers) should ensure that their privacy notices accurately reflect all data processing activities, alongside how and when individuals' personal data is collected. There is, understandably, a tension between clearly explaining data processing activities and the increasingly complex ways in which businesses use data. Also, given the rising use of artificial intelligence in the retail sector (e.g. to analyse data and make product recommendations), retailers may not even be aware of certain data processing activities which are taking place. Brands may therefore feel that they are not able to be fully transparent about their use of personal data. However, the UK's data protection regulator, the ICO, is unlikely to be sympathetic to such an argument. The ICO has recently published its updated draft Direct Marketing Code, which is under consultation until 4 March 2020. All businesses should review the Code, when published in final form, as it provides practical guidance and aims to promote good practice. The ICO will take into account adherence with the Code when considering compliance with data protection and e-privacy rules. In particular, in certain direct marketing situations, it may be necessary to carry out a Data Protection Impact Assessment (DPIA), e.g., in relation to some data matching activities.
Interestingly, the article notes that fashion retailers are generally considered to be behind the curve when implementing personalisation techniques. As fashion brands choose to embrace further personalisation and the data analysis prerequisite, brands are recommended to ensure that their privacy policies reflect these new data processing activities.