Retail used to be a simple business, buy stuff, put it in stores, sell it, and tabulate the results. But technology has made our industry more complex. We have new things to think about. In fact, technology has expanded our choices to a point where we have to ask ourselves, “Just because we can do something, does that mean that we should to it? ” And the follow-on question, “What will be the backlash if we do it? “

Back in September 2013, Nikki Baird warned of a coming storm around tracking shoppers in stores. She was worried about consumer backlash even then. Since that time, the landscape has undergone a dramatic shift. The Target data breach somehow seems to be a watershed moment for consumers. Sentences will start with the phrase, “Before the Target data breach ” or “Since the Target data breach ” for many years to come. It didn’t help that other customer data thefts have been announced since then, including Neiman-Marcus, Michael’s, kickstarter.com, and most recently Sally Beauty Supply. As of this writing, it’s not clear if rumors of a data breach at Sears have been substantiated.

As details of what had happened at Target became clear, I wrote a piece on the subject for Forbes. The reader comments were interesting and echoed some of my own thoughts: Why are retailers keeping our data without our permission? (Note: I still don’t know how Target got my own email address, really) How long are they keeping it? Feelings on the trade-off of privacy for relevancy are starting to shift. A lot more people seem to be opting for privacy.

And that brings me back to the subject at hand. This week Advertising Age reported on five expected areas of focus for the FTC this year. All five revolve around consumer privacy and data security. This could become an uncomfortable situation for retailers and end up costing time, resources and money if the industry doesn’t act now. I would say, “If you enjoyed the journey getting to PCI-DSS certification, you’ll likely be delighted by the upcoming FTC guidelines. ” We’d better start policing ourselves.

Specifically, the FTC is going to focus on de-identification and re-identification. In English: When your in-store MAC address tracking vendor says he’s “hashing the MAC address so it’s not readable, ” he’s de-identifying the data. When your not-so-friendly neighborhood hacker “defeats the hashing algorithm and reconstructs the MAC address, ” that means it has been re-identified. Apparently FTC CTO Latanya Sweeney worked as the director of Harvard’s Data Privacy Lab, and this was an area of focus for her. She, and her boss, FTC Chairwoman Edith Ramirez recognize the obvious: de-identification is not a cure-all. And it has to constantly be honed and enhanced.

The FTC is also focusing on data security. I don’t think the agency has much of a choice at this point. The industry just has not proven it can be trusted to secure the personal data that’s gathered routinely, rented and shared.

All this is by way of giving some good advice. If you decide to implement any form of in-store tracking and/or sharing data with others, it’s very important to follow some basic best practices:

1 – Ensure your selected vendor has a real and ongoing commitment to securing and encrypting any data gathered on your behalf. I don’t know how many ways we can say this: You cannot have a static standard in an evolving world. A good friend of mine’s father was a cryptographer in World War II. He always told her, “If it can be encrypted, it can be decrypted too. ” That means those encryption standards have to be continually changed. Whatever they are. There is no magic bullet.

2 – Ensure your opt-in / opt-out policies are clear and readily visible in your stores and on web sites. If you’ve got location tracking enabled in store, visible signage really should read “If you do not want to participate, please turn off wifi / Bluetooth ” (depending on your tracking mechanism). Yes, I do believe it should be that specific. On web sites, if a customer buys something and checks out as a guest, be very clear that her data will be kept for a period of time and explain why. As far as I can remember, I haven’t shopped on target.com in more than 5 years, if ever. There really is such a thing as a data purge. I have NO idea why Target decided to keep my data that long, and honestly, I don’t care. I care that they didn’t tell me they were going to do it.

3 – If you’re going to share data you collect with data brokers, be clear about it. Right now, all consumers get are the “We will never share or rent your data ” from sites that are opposed to the idea. That’s a very good thing, but the transparency in the other direction is pretty important too. “Your data can be shared with others. “

This is all about re-establishing trust. When the government starts acting on something like this, you know the wheels have come off the wagon. The same Advertising Age article I mentioned above talked about a bill introduced by Jay Rockefeller, outgoing Senator from West Virginia. This bill proposes to take the steps initiated by Acxiom with their aboutthedata.com web site and make them a requirement for every data broker. The industry may fight back, but win or lose, you can be sure it’ll be a very visible fight, and consumers will not come down on the side of the data brokers.

I feel like we’ve been getting into the warning business lately and I don’t want to sound like Chicken Little. But we’re at a dangerous inflection point. Even as we’re trying to learn how to act on what’s now called “Big Data ” there is real potential that the industry will find itself awash in new regulations. That’s not going to be fun. So let’s start self-policing now.