Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

INSIGHT: It’s Holiday Time—Does Your Company Know Its Retail Privacy, Data Security Risks?

Nov. 25, 2019, 9:01 AM

As brick-and-mortar retailers look for ways to compete with online shopping, more and more are turning to the Internet of Things (IoT) to enhance customer engagement, in-store experience, and administrative and personnel efficiencies. However helpful, IoT use is not without its data privacy and security risks.

The last quarter of 2019 means the end of year holidays: The exchange of gifts and cards and the rekindling of lost connections around familiar traditions. The ting ting of bells ringing in best wishes for 2020 and the ching ching of cash registers at Black Friday and beyond. But wait. Do cash registers still exist? When was the last time you saw one?

That ching ching has been replaced by the silent sound of the internet and ioT devices that envelop your credit card and all your shopping history into the vacuum of data collection that has been pushing through retail for years. Shoppers don’t even need to leave their homes to connect to their goods and the data savvy are using discount codes and e-coupons to save more than their brick-and-mortar bound peers.

But how is this all possible in 2019, one year after the General Data Protection Regulation (GDPR) went into effect and within months of the California Consumer Privacy Act (CCPA) coming out in force? How can retail compete? How can they keep up with the fascinating barrage of ioT technologies when they must integrate the new and seemingly endless restrictions around data privacy that would appear to impede their ability to use the data they collect?

Data privacy is not the end of retail as some might predict, but there are issues that companies must be keenly aware of as they adopt new technologies and adaptive revenue models in today’s highly consumer focused data privacy environment.

Data Security Is the New Black

Companies must have in place a comprehensive, industry-standard and justifiable (to both regulators and a jury of peers) set of internal data security protocols. Period. The personal information you collect must be kept secure from start to total deletion.

The Federal Trade Commission has stepped up consent orders and actions against companies for failing to have in place a minimum level of data security protections. It has recently gone so far as to extend responsibility beyond the corporate entity itself to individual officers and upper-level management and to require regular proof of third-party evaluations of data systems.

By March 2020, companies with the personal information of New York residents must have in place full scale compliance and data protection programs. New York’s Stop Hacks and Electronic Data Security Act (SHIELD Act), which amended New York’s data breach law, expands the definitions of both personal information and breach and widens the territorial scope to include any business that has the personal information of a New York resident, not just a company conducting business in New York.

And what can truly be called the greatest gift of all to come down the chimney, hailing from the world’s fifth largest economy (overtaking the United Kingdom in 2019) is the CCPA. The CCPA contains a private right of action for a data breach.

Jan. 1, 2020, the effective date, will sound more like alarm bells to any company that collects the personal information of California residents. And by personal information, we mean any information that “identifies, relates to, describes, or could reasonably be linked to an individual consumer or consumer household.”

The definition, similar to the definition of “personal data” in the GDPR, encompasses biometric data, IP addresses, internet activity, and profiles based on inferences gleaned from bits of data and internet activity with the additional notion of household data.

Opt Outs are In

As evolving data privacy regulations require, companies have adapted to the unsubscribe notion in marketing emails and promotions and cookie notices on websites. Most companies understand that consumers are able to stop email notifications that may follow a sale transaction and must be allowed to opt in, at point of sale, to receiving those communications.

The notion of pre-checked opt in boxes at check-out has largely been sidelined by the GDPR, but companies persist in keeping and sharing information for other purposes beyond open marketing solicitation.

Now California and Nevada have stepped in to make sure that those other purposes are being properly disclosed. Under the CCPA, companies must now conspicuously and clearly disclose with whom they sell (“to sell” is defined broadly) the personal information of California consumers and give those same consumers the right to opt out of that sale.

In addition, the California attorney general’s proposed regulations to the CCPA, which came out in early October and are still open for comment and revision, clarify ways for companies to calculate the value of consumer data and financial incentives to consumers who provide their data.

These tools and information are to be provided to consumers to assist them in their calculation of whether to exercise one of the opt out rights under the CCPA. This may have the perverse effect of exposing trade secret information that companies value about the ways they use personal information and data on their customers to maximize profits and sales of particular goods.

Data privacy is ringing in 2020 with substantial changes to the ways companies use personal information. Data security is no longer negotiable, and the costs related to a lackadaisical approach to data security continue to increase, especially as private rights of action flex.

Currently, the most difficult operational hurdle for companies is the consumer opt out rights that originated with the CCPA and are now multiplying to other jurisdictions like Nevada. These rights force companies to flow through those opt outs to every third party with whom they share personal information and require a lengthy upfront notice to consumers about the value of their data and the financial incentives provided for the personal information they disclose.

Data and the ioT has changed what companies can do to increase revenue, boost customer satisfaction and enhance user experience, but data privacy is tolling in 2020 with a tempo that beats to heightened security and consumer opt outs. Companies need to stay abreast as traditions give way to regulations.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Cynthia J. Cole is special counsel at Baker Botts in Palo Alto, Calif. Formerly CEO and general counsel, she counsels clients on GDPR, CCPA, data protection, technology transactions and deals, data sharing and IP licensing. She is also an adjunct professor of law at Northwestern Pritzker School of Law, teaching information privacy, and is certified as an Information Privacy Professional (CIPP/E) by the International Association of Privacy Professionals.