The law emphasizes transparency by requiring companies to secure the personal data of their consumers, to write privacy policies in conspicuous and straightforward language, to obtain affirmative consent from users before their data can be used, and to limit the scope of use of consumer data to a clearly defined purpose. It aims to strengthen consumer rights and to make the digital data standard “privacy by default,” giving individuals the right to access a copy of the data any business keeps on them, to move their data from one platform to another, and to have their information deleted from a platform all together. Companies found to be noncompliant can face fines of up to the greater of 20 million Euros or 4% of their annual global revenue. While the law applies only to companies that handle the personal data of EU residents (and not all such companies are subject to it), the global nature of e-commerce means that the GDPR has the potential to affect any company that markets products online, irrespective of the company’s geographic location.
This new GDPR standard, compounded by the public backlash and calls for US data protection legislation after the Facebook Cambridge Analytica scandal and massive data breaches weathered by companies like Equifax and Uber, is helping to shift consumer expectations of privacy. Companies are responding by changing their privacy policies and overhauling their use of personal data. In April, Mark Zuckerberg announced that Facebook would be offering the same level of privacy controls required by the EU law to users all around the world.
If the volume of emails notifying consumers about updated privacy policies is any indication, other US companies are quickly following suit. Retailers have already been working to prioritize data security over the last few years, spending millions of dollars a year to bolster protections and to hire cybersecurity experts. The GDPR’s added focus on transparency and narrower use of personal data, however, creates a new need for retailers to adapt and use consumer data in pointed, innovative ways, while also maintaining protection and security, so that consumers will be incentivized to opt into sharing their data. And, of course, any updated privacy commitments made to consumers must conform to what the retailer is actually doing, whether for GDPR compliance or other purposes.
At first blush, retailers may perceive this shift as daunting, especially since consumer data has become the driving force behind advertising strategies with the evolution of technology and e-commerce. However, a move away from the current status quo of largely unfettered use of consumer data does not necessarily have to stifle retailers’ efforts to achieve strategic omni-channel loyalty. Rather, it presents a unique opportunity for retailers to further curate consumers’ personal experiences while simultaneously demonstrating their own loyalty to consumers through the implementation of mindful, honest practices concerning data collection, use, and protection.