The Retailer Winter Edition 2022
THE RE TA I L ER
DATA TRENDS TO WATCH FOR THE RETAIL, HOSPITALITY AND LEISURE SECTOR
Bryony Long Partner and Co-Head of Data Lewis Silkin
I t has been a busy year for data privacy with signifi cant regulatory action and interesting developments rel evant to the luxury and retail industry. Direct marketing The UK data protection regulator (the ICO) has been very active in the area of direct marketing and issued a number of fines over the past year including to somewell-known names (including American Express (£90k), Saga (£150k),We Buy Any Car (£200k) and Sports Direct (£75k)) for contravening the direct marketing rules. These fines were issued for reasons we see time and time again in relation to direct marketing, includ ing mislabelling a ‘marketing’ email as a ‘service’ email and therefore not having an appropriate lawful basis, not having valid consent from a subscriber and not fully satisfying the require ments of the UK soft opt-in rule. If you are a retailer sending marketing communications, you will be fully aware of the nuances of such communications and these fines emphasise the importance of getting it right. Furthermore, it is not just email marketing that has caught the eye of the regulator, other forms of targeted advertising using personal data remain under intense scrutiny. In 2020we saw guidance issued at EU level by the European Data Protection Board (EDPB) on social media retargeting and we believe it is only a matter of time before we see enforcement action off the back of this.
Transparency The Irish Data Protection Commissioner (DPC) imposed a record €225 million fine on WhatsApp Ireland Limited for breaching the GDPR’s transparency obligations “with regard to the provision of information and the trans parency of that information to both users and non-users of WhatsApp’s service”, including information about the processing of individual’s data betweenWhatsApp and other Facebook companies. Aside from the eyewatering amount, this case is also interesting because the EDPB stepped in and required the DPC (who has a reputation for being a more lenient regulator than its continental counterparts) to reassess its initial fine and come back with a number with more bite. Children’s data In September 2020, the ICO issued its Age Appropriate Design Code, otherwise known as the Children’s Code. There was a 12-month transitional period for organisations to comply with the Code, which ended on 2 September 2021, meaning we are now in the enforce ment phase and the ICOmay take action. The Children’s Code translates the GDPR require ments into design standards for online products and services which are ‘likely to be accessed by children’ (i.e. anyone under the age of 18). It has a wide scope and failure to comply can lead to compulsory audits, processing bans and fines, and of course reputational damage. Increasingly, where organisations are processing children’s data within the scope of the Children’s Code, they will need to ensure they have appropri ate protective measures in place, including geolocation off by default, age appropriate transparency and default settings.
to the luxury and retail industry.” ‘‘
It has been a busy year for data privacy with significant regulatory action and interesting developments relevant
Made with FlippingBook Learn more on our blog