12 minute read
Data privacy in the digital age
In the throes of digitization, much about the world around us has changed, not least of which the ways we communicate and share information. For retailers, this new environment is presenting challenges concerning data governance and a host of disparate laws to consider // By Ritchie Po
In August 2022, the French cosmetics retailer Sephora was levied a $1.2 million penalty by the Attorney General of California. This penalty is the first, and therefore the most high-profile to date, under the California Consumer Protection Act (CCPA). The penalty is actually part of a settlement that Sephora made with the Attorney General’s office that included corrective steps Sephora must complete in order to comply with the CCPA.
The penalty was levied because Sephora failed to disclose to its customers that they were selling consumers’ personal information to third parties, did not have a process that would have allowed consumers to opt out of the sale of their personal information, and failed to cure these discrepancies within the 30-day period permitted by CCPA to cure any defects with respect to privacy protection.
It should be noted that the term “sale” is unique in CCPA (and its successor, the California Privacy Rights Act, or CPRA) in that it does not actually denote a financial transaction for the disclosure of personal data. Rather, a “sale” under the California law is any disclosure of personal information to a third party as long as there is value. This includes but is not limited to any personal data that Sephora disclosed to service providers, web analytics, third-party cookies, or any other processing of personal information.
Retailers face considerable challenges in mitigating loss prevention today, but data privacy protection is not always considered in that conversation. The Sephora penalty is actually a prime example where prevention would have mitigated large losses to the corporation, because it crystalizes how data privacy protection is not simply an academic due diligence exercise. In Sephora’s case, the financial losses include not only the penalty, but also the cost of retaining consultants and legal counsel to represent them before the Attorney General, hours spent by technicians to retroactively operationalize legislative requirements, public embarrassment and a drop in the public perception of the brand, and credit rating monitoring for affected customers, all of which is not just absorbed by Sephora, but also by their parent company, LVMH. These challenges also apply to retailers of all sizes, not just the larger global brands. At the time of this writing, no class action or similar lawsuits claiming invasion or privacy have been filed against Sephora, a fate which befell Tim Horton’s when it was found that their app was over-collecting personal information scraped from customer mobile devices. So how does a company operating in multiple jurisdictions handle the ever-growing complexities of cross-border data privacy challenges in the digital age?
Retailer responsibility
Generally, under all Canadian laws, retailers collecting customer personal data are responsible for it as the custodian. This is binding even (and especially) when a retailer discloses the data to their vendors. This principle can be found at all levels of Canadian privacy laws, such as the Federal PIPEDA, British Columbia’s PIPA, and Quebec’s Law 25, amongst others. The responsibility falls upon the custodian to be accountable for the personal data that even their service providers collect and process on their behalf. For instance, a large retailer using a credit card service provider is responsible for the personal data the third-party vendor processes to complete sales transactions.
The challenge of custodianship is also present in other jurisdictions. For instance, Europe’s General Data Protection Regulation (GDPR) assigns different responsibilities to entities depending upon their role as either a “controller” or as a “processor” of personal data. An entity is deemed to be a controller if they determine the means of personal data processing, whereas a processor takes instruction from a controller in their capacity as a service provider or third-party vendor. To complicate things further, GDPR states that an entity can be both a controller and a processor if they have streamlined all their operations. In addition, two separate companies can be deemed joint controllers. The obligation to process personal data is not to be taken lightly, as fines under EU’s GDPR can reach up to €25 million in the event of non-compliance or a data breach. The largest fine ever levied under GDPR occurred in 2021, when the Luxembourgian data privacy regulator fined Amazon Europe a staggering €746,000,000 penalty for non-compliance with GDPR.
Due diligence
The Canadian Federal Privacy Commissioner has a guide called “Getting Accountability Right with a Privacy Management Program”, which outlines the privacy policies and procedures an entity must have in order to ensure ongoing privacy protection. This guide applies to the private sector and includes steps such as appointing a privacy officer to manage the program, establishing privacy controls, assessing and revising those controls on an ongoing basis, and being able to demonstrate compliance to the regulator and to the public. However, one cannot simply parrot or cut-and-paste principles from a guidance document and pass it off as their own without backing it up with a complete suite of documents.
Governance
A complete privacy due diligence program includes external and internal policies that outline the way a retailer intends to collect, use, disclose, and store customer personal data. It is not enough to have a policy on a website, because the retailer must also train their staff on how to handle personal information. Additionally, a privacy program must also include ongoing training materials, a dedicated privacy breach response protocol (as a supplement to an IT security incident response protocol), privacy impact assessments completed for high-risk data processing activities, and consent forms that must be customized whenever data processing involving personal information requires consent under applicable law. If a retailer does not have enough work to justify a full-time employee as a privacy officer, the role may be combined with someone internally (such as a CIO, CISO, IT manager, or legal counsel), or it may be outsourced. European law firms and consultancies do robust business with Data Protection Officers (DPO) as outsourced services. And, retailers in the Americas have begun retaining similar DPOs as external consultants.
Legal
While a DPO or privacy officer has custody of the privacy management program, their work should be done in concert with the buy-in and support of legal counsel, as privacy practices may have to be supported and confirmed in legal documents. For instance, when retaining an external service provider to whom personal data is being disclosed, a DPO would recommend that dedicated privacy protection clauses be included in the master service agreement. If a DPO is not a lawyer, then they must rely upon legal counsel to draft the relevant clauses and ensure they can be enforceable upon the vendor. European retailers would use the Standard Contractual Clauses that are required under the EU’s General Data Protection Regulation, but it is up to legal counsel to determine which set of SCCs apply, and advise the retailer on the legal risks of using these contracts.
Additionally, privacy protection clauses may also require vendors to not only mitigate privacy breaches that occur on their end while supporting a retailer, but also to report and respond to the retailer of those issues and support them when (not if) a privacy breach occurs. The advantage of having legal work with a retailer’s DPO is to enforce these requirements in the event that a vendor refuses to cooperate in the wake of a data breach.
Furthermore, DPOs can work with legal counsel to determine the risk of storing personal data out-of-country. For instance, EU-based retailers may not be concerned with storing their customer data in Canada, as our privacy protection laws are deemed by the European Commission to be adequate, but they may take issue with storing such information in the United States due to the latter’s sweeping government abilities concerning surveillance and means by which it can compel the production of personal information under both the Patriot Act and the Freedom Act. Even choosing an American-based cloud service provider that hosts the cloud in Canada may pose issues, if that hosting provider is compelled to produce personal data to government upon production of a court order or search warrant. Legal counsel can also ensure that retailers have sufficient cyber-liability coverage, as this type of insurance is often not covered under a commercial general liability insurance policy.
Operational challenges
Once a privacy program is in place, with a complete document suite, and it’s been reviewed with your privacy officer and legal counsel, you have to put everything into operations. What are some of the challenges of operationalizing abstract due diligence and legal requirements?
Surveillance
If your brick-and-mortar store has cameras for security reasons, you must account for the data collected through surveillance. While safety and security of staff and customers is paramount, a retailer is still collecting personal information through the form of images, movement, and likeness of everyone in and within the immediate vicinity of the store. However, a retailer remains the custodian of the personal data and must ensure that the collection, use, disclosure, and storage of that footage aligns with applicable privacy laws. Retailers often outsource this to an external security company to handle, and need to confirm that the service provider does not use the footage for purposes unrelated to security surveillance.
This means developing a deep understanding of the reasons staff at the security firm need to access the footage and how long that footage is kept. Retailers must also advise customers if they are being filmed, which is often conveyed in signs that say “Smile! You’re on camera!”
Fulfilment
If your warehouse is fulfilling the order and it is not in the store, you must ensure that those staffers have the personal data required to package the goods. However, fulfilment does not need the entire customer profile or data in order to do so. Fulfilment would need the order number, details of the merchandise, and possibly the name of the customer. However, ask yourself if fulfilment needs to see the payment information or contact information for that customer. This may be easier to separate for a larger retailer, but it is not always possible for a small business if the salesclerk takes the order, fulfils it, and also delivers the merchandise, as there is no division of labour.
Payment processing
Your payment processor collects customer credit card information, but you will need to ensure that the personal data collected by that processor is absolutely required, and that you are apprised of the processor’s retention schedule. However, complicating the issue of storage is the fact that privacy laws often require the personal data to be destroyed one year after its use has been exhausted, but payment card industry (PCI) standards require a longer retention period. Furthermore, your privacy officer must align and reconcile these differing retention schedules. Since payment card processors are frequent targets for hackers, any disclosure or selling of customer personal data must be absolutely necessary.
Delivery
When using private courier (as opposed to the postal service) or their own in-house couriers, retailers must ensure that they provide sufficient information to the delivery company to effect delivery. While this includes name, address, and contact information to reach the recipient, retailers must also be mindful of any other personal data the courier may be collecting. This may include video recordings of couriers as they drive, reports of issues, and proof of identification upon delivery. In the Philippines, for instance, it is legal and even necessary for couriers to take photographs of the person(s) receiving a package to confirm acceptance and delivery, to combat otherwise rampant fraud and theft of packages by fraudsters. Big box retailers often have cameras pointed at drivers, thereby recording not just their movements and activities, but they may also capture background footage of others who happen to be in the vicinity. Constant surveillance permitted in one jurisdiction may not be permitted in another, and the same privacy practices cannot be applied or legally used in a uniform manner.
Website issues
It is not enough to simply post a privacy policy. As retailers become increasingly global, they must answer the question: which law and which privacy policy applies to what we do? The answer may be found by applying the following steps.
Jurisdiction-specific notices
California requires “Do Not Sell My Personal Information” notices. Europe’s GDPR requires that data subjects (customers’) rights be posted. Canadian Federal and Provincial laws differ on these requirements, and some look like CCPA and CPRA, while others look like GDPR. Therefore, the challenge for retailers is often to have policies that meet the legal requirements for the jurisdiction where they operate, or where their customers are located. For instance, GDPR applies if an entity is doing “large scale” data processing, which will depend upon customer base size, and CCPA/CPRA apply if even one customer is based in California, thereby triggering the legal requirement to post the correct notices.
Cookie Notices
Although Canadian privacy laws do not require retailers to post cookie notices, an increasingly large number of Canadian entities are proactively conforming to more stringent legal requirements for cookie notices. These include recitations on the types of cookies being collected from a customer’s device. Additionally, a retailer must also account for the types of personal data that is being disclosed to the analytics or hosting site to ensure that they are not over-collecting personal information. These might include IP addresses, browser sessions, web beacons, and other metadata when a consumer visits a retailer’s online shop.
-------
Kobalt.io is an IT security management services provider comprised of an experienced team of cybersecurity professionals and developers who bring the monitoring capabilities of enterprise-class security teams to smaller organizations, helping them identify challenges in current approaches and seek out innovative ways to address them. for more information about the ways in which Kobalt.io can help your business, contact Ritchie Po, Privacy Lead, at ritchie.po@ kobalt.io
