Appification of Retail and Data Protection

22 August 2017

The rise in online retail is seen by many as one of the key causes of the decline in footfall on the UK's high streets in recent years but the high street has been fighting back with its own innovative use of technology to help get more shoppers back into physical stores.

For example, offering smartphone apps which engage with customers to ensure high street shoppers benefit from the most up to date offers, promotions and even free goods. The latest generation of such apps operate based on geolocation and send out relevant content based on a shopper's physical location as well as their personal preferences.

Retailers are also using apps to enable mobile payments. Tesco recently launched its PayQwiq payment application, and Sainsbury's plans to continue the roll out of its SmartShop mobile payment app during 2017; all competing against the more established Android Pay and Apple Pay. These efforts are a means for retailers to simplify the shopping experience, reducing stress and streamlining the entire process, to (amongst other things) combat shopper apathy.

While applications can promote long-term engagement and enhance sales -  even the social media app Snapchat allows for retailers to have custom geofilters, which users can apply to their pictures when they are in a particular retail location - they do present concerns for retailers, especially when it comes to data protection. Many of these apps are collecting a wealth of potentially intrusive information on the user such as location data, accessing the phone's stored information, and reading the phone's internet data in the process.

Under the UK Data Protection Act 1998 (DPA), which is supplemented by the UK Privacy and Electronic Communications Regulations in relation to electronic marketing,  all data from which an individual can be identified, whether from that data alone or together with other data, and which relates to the individual would be covered as protected information, and retailers would have to be keenly aware of the compliance obligations, the extent of their responsibility for the data, and any data breaches or the possibility of the same when managing the applications. Tracking based on wi-fi or GPS data (as opposed to network data) would not necessarily require consent but is likely to require a consideration of the intrusiveness of the data as well as a notification to users. With an eye to the forthcoming General Data Protection Regulation (GDPR), app developers also have to be conscious of implementing privacy by design, minimising data access, enabling user controls, considering where data will be stored and implementing appropriate security measures. The Information Commissioner's Office has provided useful best practice guidance on app development and privacy under the DPA, which retailers and their developers should be aware of. This includes:

  • identifying if the app collects any personal data;

  • knowing who controls the possible personal data, including you and any third-parties, during the lifecycle of the app;

  • choosing what data you collect through the app;

  • considering how you will inform your users of the data collection and seek consent for the same;

  • considering how users can give you feedback and potentially control the data collected on them; and

  • most importantly, considering how that data is secured, both externally and internally in the device, and ensuring proper functionality through continuous testing.

A breach of data protection legislation can have serious consequences, including fines of up to £500,000 currently and legal claims from data subjects (although most breaches are initially handled through non-litigious measures). Therefore, all retailers handling data (not just those using apps) need to be aware of their current obligations under the DPA, including the need to comply with the Data Protection Principles and data subject rights.

Further, enforcement powers of regulators will be significantly enhanced under the GDPR, which is coming into force in May 2018.

Advances in technology are providing retailers with unprecedented opportunities to interact with their customers and, if used effectively, this technology could have a transformative effect on the Great British high street. But alongside the potential benefits, retailers should be aware of the risks and challenges associated with a more mobile and data-heavy retail landscape, and be sure to comply with applicable provisions on the processing and protection of personal data.

In an upcoming article we will discuss in detail the practical steps retailers should be taking in preparation for the GDPR.

Stay connected and subscribe to our latest insights and views 

Subscribe Here