Tracking Compliance: Data Protection Risks and Remedies for Retail Janine Regan charlesrussellspeechlys.com
Janine Regan Associate +44 (0)20 7427 6798 janine.regan@crsblaw.com Janine has extensive experience advising on and managing global data protection compliance for multinationals in sectors such as financial services, pharmaceutical, technology, marketing and advertising, media and construction. She frequently advises on: notifications/approvals with relevant data protection authorities, drafting and negotiating data protection provisions in outsourcing and data sharing agreements, whistleblower hotlines, transborder data flows, privacy impact assessments, data breaches and subject access requests. She also provides tailored data protection training for clients. Recently, Janine has provided privacy advice on new technologies such as telemetry, wearable devices and big data. Janine is a regular presenter on our data protection webinars. She also often speaks at professional conferences including the Society of Corporate Compliance and Ethics, Tech UK, PDP, MBL, the Employment Lawyers Association and the Immigration Law Practitioners Association. Very knowledgeable and commercial She also contributes articles for Data IQ, the Society for Computers and Law, Bloomberg BNA and Privacy Laws & Business. Legal 500 2016 03 May 2016 2
Tracking Compliance: Data Protection Risks and Remedies for Retail Topics Wi-Fi location analytics Buying in data and direct marketing Facial recognition Privacy in mobile apps DP compliance as a marketing strategy 03 May 2016 3
Tracking Compliance: Data Protection Risks and Remedies for Retail Why does the industry need to take this seriously? Adverse publicity Cost of a data breach, including abnormal churn rates Illegally collected data = little value as a commodity Increased public awareness High priority for data protection regulators 03 May 2016 4
Wi-Fi location analytics
Wi-Fi location analytics What is Wi-Fi analytics? 03 May 2016 6
Wi-Fi location analytics What are the risks? Individuals do not understand or consent Where is the choice? Too much data is being collected Data is being held for too long 03 May 2016 7
Wi-Fi location analytics How should be address the risks? Privacy Impact Assessments Be clear and transparent Remove identifiable elements Define the bounds of collection Define a retention period Create a simple and effective means to control collection 03 May 2016 8
Facial recognition
Facial recognition Creepy or creative? Minority Report Personal Advertising in the Future https://www.youtube.com/watch?time_continue=28&v=7b XJ_obaiYQ 03 May 2016 10
Facial recognition Creepy or creative? Lack of awareness Lack of choice Lack of control Potential for serious misuse 03 May 2016 11
Privacy in mobile apps
Privacy in mobile apps Key messages The same data protection rules apply! Key priority for data protection regulators Global Privacy Enforcement Network research / investigation 85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information More than half (59%) of the apps left users struggling to find basic privacy information Almost 1 in 3 apps appeared to request an excessive number of permissions to access additional personal information 43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print, or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages 03 May 2016 13
Privacy in mobile apps ICO Guidance Challenge of conveying privacy information via small screens Consumers expectation of convenience can make it undesirable to present lengthy privacy information or a large number of prompts, or both 03 May 2016 14
Buying in data and direct marketing
Buying in data and direct marketing Key changes Publication date: 24 March 2016 Indirect (third party) consent and bought-in marketing lists Obtaining freely given, specific and informed consent 03 May 2016 16
Buying in data and direct marketing Indirect (third party) consent and bought-in marketing lists What is indirect consent? List broker or other third party source claim that the customers have consented to receive marketing from other organisations Indirect consent will not be enough for texts, emails or automated calls where consent was general, e.g. marketing from selected third parties Consent does not last forever and this time factor is even more important with indirect consent General rule of thumb indirect consent six months but there may be situations where it may be reasonable a longer time period (e.g. consent to receive offers on seasonal products or annual renewable insurance services 03 May 2016 17
Buying in data and direct marketing Obtaining freely given, specific and informed consent Consent Directive 95/46/EC any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed Freely given The individual must have a genuine choice over whether or not to consent to marketing. Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who refuses. Where consent is a condition of subscribing to a service, the organisation will have to demonstrate how this indicates that consent was freely given 03 May 2016 18
Buying in data and direct marketing The General Data Protection Regulation Consent should be a clear, affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject s agreement to the processing of personal data relating to him of her, such as a written statement, including by electronic means, or an oral statement Silence, pre-ticked boxes or inactivity should not therefore constitute consent 03 May 2016 19
Buying in data and direct marketing To enrich your existing database Janine Regan Janine.Regan@crsblaw.com Subscribes to Retailer s newsletters Postcode demographics + lifestyle information house type, family structure, age, household income, technology ownership, leisure activities, grocery spend, newspapers read, holiday types and frequency types of marketing campaigns most likely to respond to, stores most likely to visit, etc 03 May 2016 20
Buying in data and direct marketing To enrich your existing database Is it lawful? Would the customer be surprised if they knew how much you knew about them? Would it spook them out? Can you be any more transparent with your customers? Can you offer your customers a real choice as to whether or not they are profiled in this way? 03 May 2016 21
Buying in data and direct marketing Tips Ask data broker / supplier for examples of how they obtain consent Make sure the data broker / supplier warrants and represents that they have obtained freely given, specific and informed consent to sell the data to you Starting point unlimited liability / indemnity for data protection ICO s due diligence checklist (page 45 of direct marketing guidance note) 03 May 2016 22
DP compliance as a marketing strategy
DP compliance as a marketing strategy ICO Privacy Seals programme European Data Protection Seal in the GDPR Will act as a mitigating factor in the event of enforcement action under GDPR 03 May 2016 24
charlesrussellspeechlys.com Charles Russell Speechlys LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is authorised and regulated by the Solicitors Regulation Authority. Charles Russell Speechlys LLP is also licensed by the Qatar Financial Centre Authority in respect of its branch office in Doha. Any reference to a partner in relation to Charles Russell Speechlys LLP is to a member of Charles Russell Speechlys LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London. EC4M 7RD.