Karin Rivard intellectual property technology medical software science lawyer
Blog Posts: Retail Law Advisor

“We’ve Updated Our Privacy Policy”

How the EU’s New Data Protection Law is Changing Data Policy Considerations for American Retailers

If you have ever made an online purchase, chances are that you have received at least one email in the last month notifying you that a company’s privacy policy has changed. These emails are part of efforts to comply with the General Data Protection Regulation(known as the “GDPR”), a European Union data protection law that went into effect on May 25 of this year. Passed in 2016, the GDPR is widely regarded as the toughest data protection law in the world.

The law emphasizes transparency by requiring companies to secure the personal data of their consumers, to write privacy policies in conspicuous and straightforward language, to obtain affirmative consent from users before their data can be used, and to limit the scope of use of consumer data to a clearly defined purpose. It aims to strengthen consumer rights and to make the digital data standard “privacy by default,” giving individuals the right to access a copy of the data any business keeps on them, to move their data from one platform to another, and to have their information deleted from a platform all together. Companies found to be noncompliant can face fines of up to the greater of 20 million Euros or 4% of their annual global revenue. While the law applies only to companies that handle the personal data of EU residents (and not all such companies are subject to it), the global nature of e-commerce means that the GDPR has the potential to affect any company that markets products online, irrespective of the company’s geographic location.

This new GDPR standard, compounded by the public backlash and calls for US data protection legislation after the Facebook Cambridge Analytica scandal and massive data breaches weathered by companies like Equifax and Uber, is helping to shift consumer expectations of privacy. Companies are responding by changing their privacy policies and overhauling their use of personal data. In April, Mark Zuckerberg announced that Facebook would be offering the same level of privacy controls required by the EU law to users all around the world.

If the volume of emails notifying consumers about updated privacy policies is any indication, other US companies are quickly following suit. Retailers have already been working to prioritize data security over the last few years, spending millions of dollars a year to bolster protections and to hire cybersecurity experts. The GDPR’s added focus on transparency and narrower use of personal data, however, creates a new need for retailers to adapt and use consumer data in pointed, innovative ways, while also maintaining protection and security, so that consumers will be incentivized to opt into sharing their data. And, of course, any updated privacy commitments made to consumers must conform to what the retailer is actually doing, whether for GDPR compliance or other purposes.

At first blush, retailers may perceive this shift as daunting, especially since consumer data has become the driving force behind advertising strategies with the evolution of technology and e-commerce. However, a move away from the current status quo of largely unfettered use of consumer data does not necessarily have to stifle retailers’ efforts to achieve strategic omni-channel loyalty. Rather, it presents a unique opportunity for retailers to further curate consumers’ personal experiences while simultaneously demonstrating their own loyalty to consumers through the implementation of mindful, honest practices concerning data collection, use, and protection.