The retail and fashion sectors need to deal with new legal issues due to the adoption of IoT technologies as a consequence of the rapid digital revolution of the industry.
The “wave” of the Internet of Things is heavily impacting the retail sector leading to new legal issues that have never been experienced by most fashion brands, and in general retail companies.
McKinsey estimates that the potential economic impact of IoT in retail environments will range from $ 410 billion to $ 1.2 trillion per year by 2025. But such massive growth of the usage of IoT in the retail sector has to deal with legal issues concerning not only data protection compliance and cybersecurity but also among others product liability.
What is the IoT in the retail sector?
The Internet of Things is leading retail companies, including fashion companies, to know their customers better, customize and improve their purchase experience and services through, among others, sensors and big data analytics. Indeed, the magic words of the last years are CRM and profiling as retailers want to be able to foresee customers’ behaviors and potentially direct them according to their marketing strategies.
It is still early to predict what will be the areas of significant growth for the Internet of Things in the retails sector, but the following appear to be some of the most interesting at the moment:
It is commonly known as “me-tailing” and refers to the ability for retailers to collect data in real-time about their customers from different sources. Mobile phones, social media, in-store channels, and wearable technologies, for instance, can offer very personalized interactions with their customers, e.g. in terms of customized offers.
Understanding the preferences and the behavior of customers is essential to be able to show the right products to the right customers. This conduct is already quite frequent in online stores and is increasing in physical stores. But it requires detailed filtering of customers’ preferences which entails comprehensive profiling of them. And for instance, the usage of “smart” cameras to understand who are the most frequent customers is becoming quite common, also in stores of top fashion brands.
Such activities are considered as “dangerous” under the General Data Protection Regulation. And, for instance, the European Data Protection Board recently issues guidelines on CCTV systems (and in particular smart cameras). But in general, such invasive conducts require the performance of privacy impact assessment and might need a prior consultation with the competent data protection authority.
Likewise, the need to increase the simplicity of payments represents one of the most relevant areas of growth for the Internet of Things technologies. Our smartphone, smartwatch, or any other wearable technology shall be able to communicate with the system of shops to make payments more comfortable and faster. However, the obligation to implement the requirement of the so-called “strong authentication” prescribed by the Payment Services Directive 2 (that is now in place) might considerably impact such market.
Tracking items and customers
RFIDs are already commonly used in the retail sector to prevent thefts. But they can now be used to collect additional information about customers, their preferences and their location as well as for inventory management also in the view of its integration with the online sales channel. At the same time, QR codes on product labels enable to provide additional information about the items and perform in-store marketing activities. And the recently forged standards for RFID logos and data protection tests have been already developed to boost the growth of such market.
However, the core of the Internet of Things is given by sensors. They can be used in the retail sector to change the environment, e.g., an interactive display, when a shopper is in the proximity. However, they can also be used for in-store analytics and therefore, to track and measure the flow of customers in specific areas of shops.
Commentators also see the future of the retail sector in Bluetooth Low Energy (BLE) applications, commonly known as beacons and similar technologies. Most of smartphones and wearable devices are already equipped with such applications communicating with beacon devices located in shops enabling retailers to track and send notifications to their customers during their visit to the shops.
The main advantage of beacons is that they can detect the location of customers with a very detailed approximation (i.e., between 5 to 10 m). Such a solution makes in shop marketing, tracking, and payment much more effective and accurate. And for instance, customers might receive push marketing notifications on their smartphone when they get close to discounted products.
However, profiling linked to the collecting of location data leads to significant privacy-related issues as well as labor law issues, if such tracking is performed of employees.
What legal issues the IoT may trigger in the retail sector?
An Internet of Things technology is by essence relying on of the collection of data about individuals, their processing either individually or in the form of big data and their usage to increase efficiency and sales through tailored services and marketing initiatives.
The European data protection regulators raised some of the issues relating to the Internet of Things technologies in the retail sector. In particular, the main issue raised by European privacy regulators concerned the lack of transparency of these technologies. Customers are not aware of when and how their personal data are collected, the purposes for which their personal data are processed and, the entities to whom data are communicated. The problem relates to the level of information and the type of consent that is required by customers for the usage of such technologies especially taking into account that the data collected through them can generate detailed profiles of users.
As mentioned above, an attempt to find efficient solutions has been already performed by the European Commission with reference to RFIDs, but we are working to find similar solutions also for different Internet of Things technologies.
A properly run privacy impact assessment will be crucial to avoid the risk of the massive fines prescribed by the GDPR. Also, we usually work with technicians to find solutions that can meet business needs in the most data protection compliant manner. Indeed, sometimes the business does not need to collect such a large amount of personal data (or even does not need to collect personal data at all), but such collection occurs just because it is more convenient.
As I covered in this previous post, the risks in terms of cybersecurity are massive with the Internet of Things technologies that lead to a substantial volume of exchanged data. At the same time, the implementation of security measures might lead to inefficiencies. Also, the loss or the unauthorized access to data stored through such technologies can lead to privacy-related liabilities for the so-called “data breach” with not only communication and notification obligations, but also potential fines will be up to 4% of the global turnover under the new EU privacy regulations.
The implementation of “adequate” security measures is not just a question of technological investments but requires to put in place technical and organizational measures able to prove to have implemented whatever was needed for the law, with an adequate level of diligence. In this respect, the adoption of a privacy by design approach is not only an obligation but also an opportunity as it provides the tools to be able to prove data protection law compliance and to exploit data that otherwise should be deleted or subject to considerable restrictions.
Liability of the different entities involved
A common issue that arises with the Internet of Things technologies pertains to the liability of the various entities involved in the management of the technology. Indeed, retailers will often rely on a technology provided by a tech company that, in turn, will manage a cloud database through its subcontractors. Therefore, the issue is how retailers should be protected not only in terms of service levels but also from potential reputational damages, for instance, in case of loss of data or cybercrime. And an open problem is also about who should be the “owner” of the collected data, for instance, in the case of big data, which triggers the compliance obligations mentioned above.
These are all matters that have been addressed by the European Commission in its current attempt to set new rules on the Internet of Things. However, the identification of the right balance between consumers’ protection and enabling the proper exploitation of IoT technologies will be challenging.
All the issues above are further amplified through the use of artificial intelligence systems in connection with IoT technologies. AI is combining a large amount of collected data with deep processing able to lead to outcomes that might be out of control.
What we are trying to achieve for our retail and fashion clients is to ensure compliance with the obligations mentioned above in a business-oriented manner, also providing the required protections against legal issues deriving from IoT technologies, according to modalities that are financially feasible for suppliers.
On the topic above, you may find interesting the articles CCTV cameras under strict data protection law obligations, and Big data is the money maker of the Internet of Things.