10 minute read
Understanding retailer obligations concerning data collection
With the advancement of digital technologies come opportunities for retailers to get closer to their customers through the collection of their personal data. But, how much is too much? // By Ritchie Po
Sharing is caring, right? With respect to the collection of personal information by retailers, it actually isn’t. As customers share more and more personal data in order to purchase goods and services, retailers must understand their obligations in ensuring they do not collect too much personal information, and that they know the limits on the disclosure of their customers’ personal data to third-party service providers and partners. Two recent controversies have shed light on businesses that have collected too much personal data, or have shared personal data to third parties, neither of which was done without sufficient notification or consent.
Recently, Roomba ran afoul of privacy laws when it was found that their cameras were collecting images from beta testers of a new product on an ongoing basis and storing all of that data in the company’s servers. This led to the embarrassing (and undignified) situation where customers were filmed through the Roomba while they were in the bathroom, arguably the most private space in the home. Similarly, a recent investigation from the Federal Privacy Commissioner for Canada found that Home Depot had not only collected their customers’ spending habits, but they were disclosing this personal data to Meta for marketing purposes in the “Offline Conversions” solution that measured the effectiveness of targeted advertising using live customer information. In that situation, consumers were not made aware that their spending habits at Home Depot would be disclosed to the social media giant, and the regulator ordered that the “Offline Conversions” tool no longer be used by Home Depot.
These two cases highlight what a customer should reasonably expect when they disclose personal data for commercial transactions. As a retailer, are you collecting only what you need to effect the purchase? Do you share that data with your partners? And, if so, are you de-identifying or anonymizing the data, or disclosing it in an identifiable format? If your service provider is bypassing you and collecting personal data from your customer directly, do they also disclose that data to you?
Ultimately, retailers are responsible for the personal information that they collect from their customers. They act as custodians once they collect that data, and this obligation is binding upon all parties in their supply chain. In this article, we highlight and examine common scenarios where businesses collect customer data and where they need to implement privacy by design into the organization.
Businesses may be collecting personal information from a number of different entities they work with on a daily basis. Even something seemingly innocuous, such as an official Instagram or Facebook page, would be a collection point if you intend to use the comments and interaction for marketing trend analysis and research purposes.
Collection: Know your chain of custody
As part of everyday business, personal data is sent out frequently. And, any time it’s sent to another entity within an outside organization, or even internally, is considered a disclosure of personal data. Under most privacy laws, if any part of a business’ operations is being outsourced to a third-party entity, and that company collects, processes, or stores personal data on its behalf, the outsourcing business is legally responsible as the head contractor and data custodian in the event of a breach. Therefore, businesses are often able to account for personal data throughout their supply chains, including the following:
Site host: What personal data is the ISP collecting? Do they have proper cookie notices with options for the customer to properly adjust their privacy settings, with opt-in functions?
Merchant site: If selling merchandise through a third-party site host, consider how much information is received from them. Do they share sales reports and purchase histories? And, if that information is going to be used, considerations must be made as to whether or not consent has been given to do so, which means reviewing the terms and conditions or consent forms provided to customers. If in doubt, do not guess whether or not consent has been given. Implying consent is a slippery slope towards liability.
Payment processor: Even if a company doesn’t collect payment card information (or if just the last four digits are visible), it might receive sales reports or histories from customers. Even if the customer is known by the business, does it need to see unredacted sales reports with their credit card information? Businesses want to think before accepting those reports from the payment processing company, or they will not only bear the responsibility for it, but will also have to perform additional due diligence under PCI’s privacy requirements.
Customer service: If a call centre is run by a vendor – particularly in another country – consider that the collection of personal data may differ in that jurisdiction. Every piece of information about a customer is considered personal data, even down to the recording of the call “for quality assurance” purposes. Ensure the proper notifications and, if required by law, get consent before proceeding with the call. Businesses must also ensure that proper privacy training is given to call centre agents so they do not collect unnecessary data.
Marketing: Marketing departments (or outsourced marketing firms) need some form of personal data to gain insights into customers’ spending habits and preferences to help their businesses grow. However, they must ensure that they are also obtaining the proper consents from the target audience and being transparent with them about how the data is being used. The collection of personal data for marketing purposes is often considered a secondary use of information, as its use is often not tied directly into the purposes for which it was originally obtained. Therefore, businesses must ensure that their marketing departments and any outsourced firms have the proper consents and notifications in place.
Improper Disclosure
A key point that may not be clear in either the Roomba or Home Depot controversies is not just the unauthorized collection or disclosure of personal data, but the overcollection of data, or the improper disclosure to other entities without prior consent or notification from the customers. A Roomba needs a camera to see where to pick up dirt, but it did not need to collect the images of persons in that vicinity. It is one thing to view the environment, but it is entirely another to capture and store that image with the vendor. This is how the embarrassing images of customers in the loo ended up being stored in Roomba’s servers.
Similarly, Home Depot did not advise their customers that they would be disclosing personal data to Meta, and neither their privacy policy, nor that of Meta’s, had any express language notifying the customer of this transfer. The Home Depot privacy statement was not available at the time customers made their purchase, and there was no reason for customers to check the privacy statement for this at the time a purchase was made. Although the Canadian Federal Office of the Privacy Commissioner did not find that the data was sensitive, it emphasized that customers would not reasonably expect Home Depot to disclose their personal data to Meta, and that Home Depot should have obtained express optin consent for this practice. In effect, the regulator is saying that companies should not apply a broad or overly permissive interpretation of what personal data can or should be disclosed for purposes other than those which are necessary and absolutely required.
Overcollection or improper disclosure of personal data can lead to not only complaints and investigations conducted by the regulator, but also public embarrassment when the findings are made public. There may be “no such thing as bad press”, but it will affect businesses if their stock price goes down or their investors become reluctant to continue doing business with them. Many investors these days are demanding proof of not only IT security compliance, but also evidence of a robust privacy program that complies with international laws. They often require that a complete review of a business’ data collection and sharing practices be undertaken as part of their due diligence. Businesses can no longer ignore making privacy a priority in their organization, especially if it hurts their bottom line.
Risk Management
In order to avoid overcollection or to ensure that customer personal data is safeguarded, businesses must have a mature privacy management program. This includes all of the following elements:
Proper notification and/or consent: Ensure customers are notified of their privacy rights in the policy and in the notice at the moment of collection. If personal data is going to be used for purposes other than the original purpose of its collection, to prevent scope creep, obtain express customer opt-in via a consent form. And, make sure documents are user-friendly and easy to read.
Data mapping and inventory: Take “stock” of all the types of personal data that’s being collected, maintain evidence of the notification and/or consent, record its location in systems (including country of storage), and keep high-level tracking of any disclosure of that data to third parties. Businesses may also be required to complete a record of activities (ROA) of personal data processing for EU privacy compliance.
Privacy by Design: Build privacy elements organically into systems and processes by setting the highest privacy levels and restricting access to the data. In addition, ensure that systems process only the absolute minimum amount of personal information required. Do not process personal data or grant liberal access “just in case”. Businesses must ensure process data as a matter of pure necessity.
Privacy impact assessment: If building (as a flagship product or app) or implementing a system that involves considerable personal information, get a privacy officer, consultant, or legal counsel to write a privacy impact assessment (PIA). This will help assess on a granular level whether or not collection, use, disclosure, and retention of personal data complies with legislative permissions. A PIA has great value as a due diligence exercise, and can help assure executives, partners, clients, and investors that privacy practices are sound and risk-averse.
Responding to overcollection
If a business has found that it has over-collected personal data, or improperly disclosed personal data, it’s considered a privacy breach. When this happens, here are some steps that can be taken in order to effectively respond:
Notify the business’ privacy officer. They will act as the lead in the breach response protocol. Alternatively, businesses may contact their external privacy consultant or legal counsel to assist or take the lead.
Activate and execute privacy breach response protocol. This means a business should be ready to report the breach internally, triage, investigate, assess risks, notify affected stakeholders, and respond to queries. They should also meet with legal counsel to assess their exposure, and work with communications and media relations on brand messaging and damage control if the breach affects a large group.
-------
Questions about data privacy? Contact Ritchie Po, Privacy Lead, Kobalt.io at ritchie.po@kobalt.
