The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Leading up to this day, organizations spent months, even years, assessing data collected from customers and employees as well as data privacy security procedures in place. As businesses continue to work toward maintaining compliance with the new regulations, it's still too early to quantify detailed impacts on bottom lines, brand reputation and customer loyalty. However, it is worth taking a look at some initial developments, including observations about customer database reductions and new thinking around what parts of consumer data are truly valuable and worth keeping. There are also new sets of U.S. regulations currently in discussion that seem to be inspired by the EU’s actions, and time will tell how these are defined and enforced.
In the retail sector, GDPR legislation touches businesses beyond security, auditing, legal and compliance. Anyone who works with customer and employee data, including marketing, sales and HR, is impacted and responsible. Like many consumers, you may have received an onslaught of emails the week of May 25 from brands noting new data protection activities being put into place and asking you to opt in to continue receiving communications from them. And like many consumers, you likely ignored these emails or saw them as opportunities to de-clutter inboxes. Is this the start of an alarming trend in e-newsletter and email marketing subscription drop off?
It's too soon to analyze specific figures and financial ramifications from retail customer database reduction, but it’s safe to assume that ultimately there will be larger impacts. For a telling example of the impact of lost consumer reach, look no further than womenswear retailer ModCloth. Owned by Jet.com (part of the Walmart Group), ModCloth decided to stop selling to EU customers and has redirected its entire European website to a holding page with a U.S. customer care number.
Similar examples of lost consumer reach are popping up in other industries, including media, where several U.S.-based news outlets (e.g., Chicago Tribune, Los Angeles Times) decided it was easier to block web access or stop sending e-newsletters to EU-based readers rather than undergo operational restructuring to comply with GDPR.
Researchers are predicting that large retailers will be hit more significantly and likely see more customer database reduction throughout the coming year. GDPR applies to businesses of all sizes, but companies with fewer than 250 employees face less rigorous record-keeping regulations. According to data collected by Euromonitor, larger retailers will likely feel more of an impact than luxury brands due to their size and practices for using customers’ personal data to drive additional sales. This means that larger retailers need to continue to consider GDPR as a constraint as they innovate and engage with customers in areas like loyalty programs and personalization. Brands such as Farfetch, MatchesFashion, mytheresa and 24 Sèvres will likely face less strict data privacy rules even though luxury companies often invest more time and money in personalized, one-to-one services for consumers.
Once we start to see penalties being issued by regulatory bodies, then businesses might begin a more earnest look at risk exposure to GDPR. Monitoring fines, data breaches and how others are responding will influence U.S.-based retailers’ actions, with some deciding to forego international audiences in the U.K. and EU altogether.
Less Data is Sometimes More
The new standards of data protection and the fines that can be imposed for regulation violations should prompt retailers to shift from trying to collect as much data as possible to collecting data that's less sensitive, and then determining how to use the information for marketing and product positioning accordingly. Businesses will benefit from looking internally at how data is collected, where it's stored and how it's processed, in order to determine whether they can get the same value out of information once it's anonymized and pseudonymized, thereby complying with GDPR.
For example, when logging each page a given individual visits on a website, instead of linking that information to a personalized customer ID, a business should look to see if it gets the same value by recording that information anonymously. Furthermore, if a business wants to understand the relationship between complementary products, it may look cumulatively at how secondary items are often purchased with primary items, rather than tying that data to individual customer purchases. Useful insights can be gained from an aggregate view of data — e.g., from customers in a given geography or from web traffic to a particular item following a sales promotion. This aggregate approach lowers the risk of personally identifiable information leaking in a breach (internal or external), complies with regulations, and reduces the complexity of an organization’s tech infrastructure and processing needs.
Retailers are also looking at more traditional routes of engaging customers such as targeting direct mail campaigns at neighborhoods rather than at specific customers. In the U.K., the Information Commissioner’s Office (ICO) has confirmed brands do not need consent for postal marketing if they can use legitimate interests.
Companies are now dissuaded to collect and store massive troves of personal data, most of which they may never even use. The less consumer information a company holds onto, the easier it will be to comply with data reporting requirements and “right to be forgotten” requests. Any person located in the EU (citizens and residents) can ask companies to remove personal information from corporate databases in a timely fashion. If this isn't possible, then the individual has a right to know the reason why. Therefore, having a simple and fast method of deleting data securely, completely and demonstrably when customers ask for it is an essential element of GDPR success.
In the U.S., new consumer data regulations are being enacted at the state level and are in discussions at the federal level. On June 28, California passed a new privacy law that gives consumers new rights over their personal data. The legislation went from draft to law in one week, removing the need for a November ballot vote on the California Consumer Privacy Act.
California’s new state legislation is one of the toughest in the U.S. and has ramifications for the data collection practices of companies. The new law, set to go into effect in January 2020, gives consumers the right to know what information is being collected about them (digitally and physically), why it's being collected, and with whom it's being shared. Consumers can now demand that companies delete their information and prohibit the sale or sharing of said data without fear of a decrease in quality of service from that business. Individuals under the age of 16 receive additional protections around sharing and selling of data. Finally, this law increases consumers’ ability to sue companies after a data breach and gives the state’s attorney general more authority to issue fines for regulatory violations. It’s not just tech companies that will be impacted. Credit unions, grocers, car manufacturers and more spoke out against this type of legislation, arguing that this act will impact different types of retailers as it becomes law.
Furthermore, recent reports have shared emerging information about early-stage plans from the White House to create a federal approach to online data privacy. Gail Slater, special assistant to President Trump for technology, telecom and cyber policy, reportedly referred to the proposal as a "counterweight to GDPR," to make sure that the EU’s laws don’t become the global standard of online privacy.
Add to all of this a meeting in the fall where EU and U.S. regulators will review the Privacy Shield agreement that governs how American companies treat European citizens’ data. Depending on the results of that meeting, we may see similar reactions from EU retailers discontinuing U.S. audience interaction if our domestic data privacy regulations are deemed too burdensome.
More Data, More Protection
As retailers around the world look to capitalize on future-forward technologies — artificial intelligence, foot traffic sensors, mobile payment systems, etc. — keeping consumer data secure will be more important than ever to realize the full benefits of these technologies without running afoul of the law or consumer trust. Both online and in-store, we will likely see the emergence of new retail models that allow businesses to leverage loyalty program information and targeted marketing campaigns within the confines of data privacy regulations. Personalized shopping experiences will continue to evolve, including more options on what types of information a business can or cannot collect about individuals.
Retailers that take a data protection-first approach should consider including that messaging in branding and promoting it as a customer value proposition. Now is the time to start thinking more strategically about what information to collect, how to store it, how it's shared and how easy it is to remove if requested. If your business is about to begin a new technology project, these concepts should be kept in mind to ensure that when legislation is enacted in the U.S., you're well positioned to respond. Consumers are increasingly aware of what businesses are doing with their personal information; an organization that offers transparency and a data stewardship approach will build stronger trust among audiences while also keeping regulators happy.
Arun Daniel is a management consultant with over 10 years of experience in strategy and business Development working across retail, telecommunications and professional services. He co-leads the development of the U.K strategy practice for North Highland. Jason Serotta is North Highland’s Media, Entertainment, and Communications thought leader, bringing 20 years of business experience with over 11 years in telecom.