The Retailer Winter Edition 2022

THE RE TA I L ER

2 2

DATA TRENDS TO WATCH FOR THE RETAIL, HOSPITALITY AND LEISURE SECTOR

Bryony Long Partner and Co-Head of Data Lewis Silkin

I t has been a busy year for data privacy with signifi cant regulatory action and interesting developments rel evant to the luxury and retail industry. Direct marketing The UK data protection regulator (the ICO) has been very active in the area of direct marketing and issued a number of fines over the past year including to somewell-known names (including American Express (£90k), Saga (£150k),We Buy Any Car (£200k) and Sports Direct (£75k)) for contravening the direct marketing rules. These fines were issued for reasons we see time and time again in relation to direct marketing, includ ing mislabelling a ‘marketing’ email as a ‘service’ email and therefore not having an appropriate lawful basis, not having valid consent from a subscriber and not fully satisfying the require ments of the UK soft opt-in rule. If you are a retailer sending marketing communications, you will be fully aware of the nuances of such communications and these fines emphasise the importance of getting it right. Furthermore, it is not just email marketing that has caught the eye of the regulator, other forms of targeted advertising using personal data remain under intense scrutiny. In 2020we saw guidance issued at EU level by the European Data Protection Board (EDPB) on social media retargeting and we believe it is only a matter of time before we see enforcement action off the back of this.

Transparency The Irish Data Protection Commissioner (DPC) imposed a record €225 million fine on WhatsApp Ireland Limited for breaching the GDPR’s transparency obligations “with regard to the provision of information and the trans parency of that information to both users and non-users of WhatsApp’s service”, including information about the processing of individual’s data betweenWhatsApp and other Facebook companies. Aside from the eyewatering amount, this case is also interesting because the EDPB stepped in and required the DPC (who has a reputation for being a more lenient regulator than its continental counterparts) to reassess its initial fine and come back with a number with more bite. Children’s data In September 2020, the ICO issued its Age Appropriate Design Code, otherwise known as the Children’s Code. There was a 12-month transitional period for organisations to comply with the Code, which ended on 2 September 2021, meaning we are now in the enforce ment phase and the ICOmay take action. The Children’s Code translates the GDPR require ments into design standards for online products and services which are ‘likely to be accessed by children’ (i.e. anyone under the age of 18). It has a wide scope and failure to comply can lead to compulsory audits, processing bans and fines, and of course reputational damage. Increasingly, where organisations are processing children’s data within the scope of the Children’s Code, they will need to ensure they have appropri ate protective measures in place, including geolocation off by default, age appropriate transparency and default settings.

Cookies Historically, cookie compliance has been the elephant in the room. Most organisations know they are getting it wrong but are reluctant to address it. However, all retailers, especially with the increased importance of e-commerce, will be aware of the requirement to obtain consent for non-essential cookies. There has been an increased focus on the use of such cookies, including an EDPB task force especially set up to address cookie law compliance and complaints around cookie banners, and market leaders such asApple and Google implementing technologies with restrictions on the ability of organisations to use cookies. It is getting more and more difficult to avoid compliance both from a regulatory scrutiny perspective and a commercial perspective, not to mention the increase of nuisance litigators. Regulator focus on AI Over the past couple of years, there has been an increased regulatory focus on how per sonal data is affected byAI. Last year, the ICO reviewed and updated its co-badged guidance with the Alan Turing Institute which is aimed at giving organisations practical advice when implementing an AI solution. Cutting edge retailers will no doubt be considering AI/VR options, not just in respect of online and in store to enhance customer experiences, but also in respect of its supply chain to drive efficiencies. Despite the increased guidance, this is still a relatively uncertain area from a compliance perspective and implementing AI solutions is still fraught with legal challenges.

to the luxury and retail industry.” ‘‘

It has been a busy year for data privacy with significant regulatory action and interesting developments relevant