Consumer Data Privacy & Security: Don’t Say We Didn’t Warn You!
In RSR’s review of last month’s NRF annual Big Show expo, we bemoaned the fact that we could not find much at all that showed how tech companies were helping retailers address the issues of data security and consumer data privacy. We get a lot of feedback from our NRF reviews, and this year was no exception, but one message caught my particular attention: “I have almost 30 years’ experience in retail IT. I also attended NRF and found virtually no cyber security vendors. We are finding that retailers are more interested in CCPA compliance (California Consumer Privacy Act - CA AB 375) than security.”
Get the inference? Compliance to consumer privacy regulations and data security are seen as different issues, at least for retailers. But they definitely are not disconnected.
Let me provide some background to RSR’s concern. My RSR partner Steve Rowen and I spent a couple of years (2005-2007) going around America giving one-day seminars to highlight the challenges behind the PCI (“Payment Card Industry”) mandates. We learned a couple of things very quickly. The first is that retailers absolutely hated anything being mandated to them, especially a POS payment data security standard, by the likes of VISA and MasterCard. There were a bunch or reasons for the “tension” (to put it mildly) between retailers and the payment processors – but underlying it all was a belief among retailers that there was no real ROI to what was viewed as an expensive and labor-intensive effort.
The other thing we learned is that the two issues ARE related, whether retailers like it or not. Companies can be as sloppy as they dare with the information about their products, inventory, prices, sales, etc. But a breach of payment data is different – it affects consumers directly. But some retailers were not convinced that consumers much cared, and unfortunately, events unfolded that reinforced that opinion. Well known breaches at TJX, Home Depot, Experian, and many others seemed to generate a collective ho-hum from consumers, even though I’d bet that each and every one of us has a personal tale of having to clean up the mess when a credit card number has been stolen. Steve and I stopped doing the seminars because they often devolved into shouting matches.
Government regulatory agencies, however, certainly took notice of the potential for harm, and that concern extended well beyond payment data. The fact that some companies (such as Facebook and Google) built their business models around selling consumer data (for example, names, internet protocol addresses or identification numbers, search history, social media “likes”, etc.) to 3rd parties, triggered widespread concern. The first big warning came from the EU, with its 2016 General Data Protection Regulation. The second big regulatory move came from California in 2018 with the above-mentioned California Consumer Privacy Act, which becomes effective in 2020.
Here's what you can take from these facts:
- (1)The privacy of consumer data is a real issue. The California law (which is now being argued in the U.S. Congress for consideration to be a national standard) mandates that consumers can demand that a business tell them what personal information it is collecting about them and whether it is selling or sharing it, and if so to whom. Consumers can tell a company to delete their personal information. Parents must give permission before a website, online service or mobile app directed toward children can sell the any user data. And consumers can sue companies that fail to adequately safeguard their personal data, resulting in a breach. The rules apply to any for-profit business that collects customers’ personal information (including retailers).
- (2)Privacy and data security are linked in the regulations. For example, the California law assigns specific penalties should unauthorized access occur, “whether through a breach, exfiltration, theft, or ‘disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices”.
Fast Forward to Geo-Location Analytics
In RSR’s 2018 benchmark study on Location Analytics in Retail, we expressed a concern about the sensitivity of geo-location data collected from consumer “smart” mobile devices: “Mobile network operators (MNOs) have a wealth of information available to them about individuals’ geo-locations – where they live, where and how frequently they shop, their commute patterns, and even how they pay for goods and services (especially now that contactless payment options are becoming popular). MNOs have permission to collect this data by virtue of the services contracts consumers have with them, and it’s probably no surprise to anyone that that information is a huge revenue opportunity for the MNOs.” Ironically, this concern was at first a result of something that RSR saw at the 2016 NRF “Big Show” event. I can say without reservation that we were blown away by what the data could reveal about a person’s lifestyle, which the vendor in this story gleefully showed us.
But retailers’ responses in the 2018 study indicated that they were relatively untroubled by the potential risks associated with the use of very detailed consumer geo-location information.
RSR is now in the process of analyzing the results of our 2nd study on the value of geo-location data, and responses indicate that retailers even less concerned than just one year ago (Table).
|Cellular network providers are working with data providers to establish a customer’s identity and other data and provide it to retailers. What’s your opinion about using that data?|
|Makes us nervous but we’ll use it||25%||31%|
|More than a little scary||14%||4%|
|We won’t touch it. Too risky if consumers realize what’s going on||19%||11%|
Source: RSR Research, February 2019
We were surprised to learn that the largest retailers (those with annual revenue greater than $5 billion USD), are the ones most open to using sensitive consumer geo-location data - the number of those retailers who think using MNO data is “a great idea” has jumped in one year from 32% to a remarkable 61%.
Retailers may not be worried about consumer concerns about security and privacy of this new kind of consumer data, but perhaps they should be, because this attitude is at odds with the focus government regulatory agencies are giving to the appropriate use of that data. For example, in the United States, AT&T announced in January 2019 that “AT&T said Thursday it will stop selling its customers' location data to third-party service providers after a report this week said the information was winding up in the wrong hands. The announcement follows sharp demands by federal lawmakers for an investigation into the alleged misuse of data…” (Washington Post 1/10/2019).
Why Retailers Should Take This Seriously
We’re not trying to be a Cassandra on this issue, doomed to uttering prophecies that no one believes. But it’s really important for retailers and partner companies that provide geo-location data be much more proactive than the industry was about PCI Compliance. The reason is that our studies indicate that retailers are counting on using geo-location data to be able to connect with consumers at the right moment and time along consumers’ digital shopping journeys. The new study (to be published later this month) shows that there is strong agreement among retailers that the top opportunity to be derived from new location intelligence is that it can help retailers target their marketing efforts more precisely than was possible before.
Ensure your customer’s data is well-protected and not used in any kind of named way without explicit permission. Let your customers know if you’re using tracking technology.
Be proactive! And if not, don’t say we didn’t warn you.