It has been a busy year for data privacy with significant regulatory action and interesting developments relevant to the luxury and retail industry.

DIRECT MARKETING  

The UK data protection regulator (the ICO) has been very active in the area of direct marketing and issued a number of fines over the past year including to some well-known names (including American Express (£90k), Saga (£150k), We Buy Any Car (£200k) and Sports Direct (£75k)) for contravening the direct marketing rules. These fines were issued for reasons we see time and time again in relation to direct marketing, including mislabelling a ‘marketing’ email as a ‘service’ email and therefore not having an appropriate lawful basis, not having valid consent from a subscriber and not fully satisfying the requirements of the UK soft opt-in rule. If you are a retailer sending marketing communications, you will be fully aware of the nuances of such communications and these fines emphasise the importance of getting it right.

Furthermore, it is not just email marketing that has caught the eye of the regulator, other forms of targeted advertising using personal data remain under intense scrutiny. In 2020 we saw guidance issued at EU level by the European Data Protection Board (EDPB) on social media retargeting and we believe it is only a matter of time before we see enforcement action off the back of this.

TRANSPARENCY 

The Irish Data Protection Commissioner (DPC) imposed a record €225 million fine on WhatsApp Ireland Limited for breaching the GDPR’s transparency obligations “with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service”, including information about the processing of individual’s data between WhatsApp and other Facebook companies. Aside from the eye watering amount, this case is also interesting because the EDPB stepped in and required the DPC (who has a reputation for being a more lenient regulator than its continental counterparts) to reassess its initial fine and come back with a number with more bite.

CHILDREN’S DATA 

In September 2020, the ICO issued its Age Appropriate Design Code, otherwise known as the Children’s Code. There was a 12-month transitional period for organisations to comply with the Code, which ended on 2 September 2021, meaning we are now in the enforcement phase and the ICO may take action. The Children’s Code translates the GDPR requirements into design standards for online products and services which are ‘likely to be accessed by children’ (i.e. anyone under the age of 18). It has a wide scope and failure to comply can lead to compulsory audits, processing bans and fines, and of course reputational damage. Increasingly, where organisations are processing children’s data within the scope of the Children’s Code, they will need to ensure they have appropriate protective measures in place, including geolocation off by default, age appropriate transparency and default settings.

COOKIES 

Historically, cookie compliance has been the elephant in the room. Most organisations know they are getting it wrong but are reluctant to address it. However, all retailers, especially with the increased importance of e-commerce, will be aware of the requirement to obtain consent for non-essential cookies. There has been an increased focus on the use of such cookies, including an EDPB task force especially set up to address cookie law compliance and complaints around cookie banners, and market leaders such as Apple and Google implementing technologies with restrictions on the ability of organisations to use cookies. It is getting more and more difficult to avoid compliance both from a regulatory scrutiny perspective and a commercial perspective, not to mention the increase of nuisance litigators.

REGULATOR FOCUS ON AI 

Over the past couple of years, there has been an increased regulatory focus on how personal data is affected by AI. Last year, the ICO reviewed and updated its co-badged guidance with the Alan Turing Institute which is aimed at giving organisations practical advice when implementing an AI solution.  Cutting edge retailers will no doubt be considering AI/VR options, not just in respect of online and in store to enhance customer experiences, but also in respect of its supply chain to drive efficiencies.  Despite the increased guidance, this is still a relatively uncertain area from a compliance perspective and implementing AI solutions is still fraught with legal challenges.  

SUPPLY CHAIN BREACHES 

Data breaches continue to make headlines with some notable household names being the victims of sophisticated hackers. However, there have also been breaches resulting from supply chain wrongdoing.  For example, Audi and Volkswagen were left exposed after one of their vendors did not adequately protect the data of 3.3m customers. Although we have yet to see material action arising from this breach, this incident reiterates the importance to retailers of the need not just to keep on top of their own security but also the security of their respective supply chains.

CLASS ACTIONS  

Finally, in the major case of Lloyd v Google, it was held in November 2021 that the UK’s first ‘opt-out’ data class action would not be permitted to go ahead. This will have an impact on other defendants against whom representative proceedings had been brought using a similar M.O., on matters ranging from data breaches to use of children’s data and cookies. While it is the end of the road for this claim, the door has been left open for a two-stage process, something that will give food for thought to claimants and their legal teams.

The full version of this article can be found in The Collective Business Report 2022 online here. 

To find out more about Lewis Silkin and the services they provide to the retail industry, click here.

This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.

VIEW THE RETAILER