Brick-and-mortar retailers and other property-level businesses have increasingly taken advantage of technology in learning about consumer behavior. Businesses can enhance consumer experiences through targeted marketing, smarter customer service and more efficient stocking models by analyzing the increasing amount of data available through business websites, in-store WiFi location tracking, mobile apps, and closed circuit video. While the increased access to data can help increase conversion ratios and develop new strategies, businesses should bear in mind consumers’ concerns regarding data collection, and the norms (and, increasingly, regulations) that have developed in response. The discussion below will examine the development of data collection programs through (i) the concept of privacy by design, (ii) ensuring notice and transparency of the program, and (iii) engaging third-party vendors to develop and run the program.

Privacy by Design.

Security breaches of consumer information have led to government investigations and multi-million dollar settlements from retailers in recent years. In many of these cases, even if the breach’s proximate cause may be uncontrollable (e.g., a third-party hacker), its severity owes just as much to the careless way that the data was stored, processed or transmitted. 

Businesses can incorporate privacy principles at every stage of the development of data tracking and collection programs. These principles include adopting data security and retention policies, encrypted communication and employee education initiatives. Once collected, retention of the information is also an issue – businesses should consider how long they expect to require such data for continued use, and how to ensure proper disposal afterward.

In developing such programs, businesses personally identifiable information (“PII”) data collection limitations can be used. PII includes information such as names, pictures, email addresses and so forth. PII can provide additional insight to businesses; however, collecting and using PII requires additional disclosures during the notification process, and additional monitoring and notification requirements for data breaches. Pros and cons of obtaining and retaining the ability to identify specific shoppers or users should be evaluated – in some cases, many of the risks of PII collection can be avoided, without significant loss of functionality or insight, by effectively anonymizing individual data points.

Additionally, other rules apply that may not be self-evident. For instance, the Children's Online Privacy Protection Act of 1998 (“COPPA”) was enacted in 1998, with implementing regulations updated in 2013, to restrict what information websites and companies can collect from children and how they do so. Websites and other internet-connected devices that are targeted to children or geared to a general audience but knowingly collect information from children under 13 years old must comply with COPPA requirements.

Notice and Transparency.

The use of WiFi or apps to track data about visitors to a property is a hot topic today. This tracking can be implemented actively or passively. Active tracking is implemented after clear protocols have been established for the collection of such data. Such protocols could include providing notice to visitors of a property if the company utilizes programs to track a visitor’s cellphone and data associated therewith. This could be accomplished in a number of ways: for instance, by requiring visitors to review and accept terms before using its WiFi network, or when creating an account with the business’s loyalty or e-commerce app. These terms and conditions can include the notice and authorization of usage and collection of the visitor’s data. In a Federal Trade Commission (“FTC”) Report titled Protecting Consumer Privacy in an Era of Rapid Change, the FTC recommended including a clear and succinct privacy policy for consumers to review.

Some programs, however, track data through passive means without alerting the visitor. In these instances, visible signage around the property is often placed to notify visitors that the property is collecting information from cell phones or other devices. This allows the visitor to opt out by, depending on the program used at the property, turning off the device or exiting the property. Additionally, businesses whose data collection programs collect sensitive data (e.g. race, sex, age) or use the data in a manner inconsistent with the relationship between the business and consumer (e.g. selling the data to third parties) consider specific additional notices and affirmative opt-ins.

Third-Party Vendors.

Who collects the data is also varied. Businesses will generally use third-party vendors when implementing programs to collect data from customers and the devices of visitors to a property. Service contracts with these vendors raise legal issues that companies don’t typically encounter with other types of service providers. For example, the service contract should clearly delineate who owns the data collected. While a business may think that it owns the data because the information was collected from its customers and visitors to its property, the contract may provide otherwise. The contract could include specific security requirements tailored to the vendor’s access to the collected data (e.g. while hosting, analyzing or transmitting the data). Vendors increasingly understand that their customers need these contractual assurances, and many can point to specific attestations from auditors who have reviewed their privacy and security controls.

Businesses should carefully weigh how to allocate data-related risks with the vendor. The costs associated with a data breach or legal non-compliance can be high, and may not scale with the value of the contract. For instance, a vendor that charges $100,000 for data analytics services may still give rise to a breach whose investigation, litigation, and settlement costs reach seven or eight figures. Businesses should be wary of “standard” damages caps and exclusions of indirect damages as they apply to privacy and security obligations, and should push to include indemnification rights in the event a data breach occurs as the result of the vendor’s actions.