Fashion retailers have potential access to more information about their customers than ever before and they also have new opportunities to use this data to tailor the customer's shopping experience, whether online or in-store.

Beacon technology and radio frequency identification (RFID) offer huge opportunities but must be managed carefully in view of the amount of personal data they can process.

The basics of beacons

"Beacon" is a generic term for anything that will send a signal directly to a smartphone or tablet. Beacon technology promises to revolutionise the retail industry by allowing customers to receive signals from beacons via downloadable apps.

Beacon technology allows businesses to gain fresh insight into consumer spending habits by, for example, tracking the time consumers spend in shops, establishing the items they browse and purchase, and by guiding customers to specific products in-store. Beacons can also help to enrich existing marketing strategies and facilitate more effective product placement by sending tailored offers directly to consumers' phones when they pass specific shops. They also provide the ability to streamline and enhance the high street shopping experience, allowing customers such luxuries, for example, as ordering online by simply taking a photo of a product. Some hope that beacons will contribute to the recovery of ailing high street sales.

The business of beacons

The number of businesses deploying beacon technology continues to climb. Those that have already utilised the technology to develop their business plans range from the multinational giant, Apple, which has rolled out its own beacon technology, 'iBeacon', in all 254 Apple stores across the US, to e-commerce business, PayPal, which is developing PayPal Beacon, to allow for fast, contactless check-outs in-store via PayPal. Virgin Atlantic has trialled the technology at Heathrow Airport, sending travellers location-triggered welcome messages and allowing them to use their smart devices as boarding passes. Every shop along London's Regent Street is being fitted with beacons which will beam special offers to potential customers as they walk past the door, and mobile shopping application, Shopkick, deployed the technology in 100 American Eagle and two Macy's stores. Shopping centres in Hampshire and Sheffield launched Bluetooth-based beacon technology to connect retailers directly with consumers through their smartphones and deliver time-limited offers. In Hampshire, there was a 100% uptake from the shops in the shopping centre and 2000 downloads were made in the first two months, with over 6000 shares on social media platforms. In Sheffield, the app was downloaded over 500 times in two hours, 460 people registered for the app and the 120 hotspot offers were all redeemed in the first 45 minutes.

RFID technology

RFID technology has been around for longer in fashion retail than beacons.  It uses electromagnetic waves to transfer electronic information stored on RFID tags to readers which can be hundreds of meters away.  Unlike barcodes, the tags do not have to be in sight of the device reading the information on them.  RFID tags have principally been used in retail to track items and manage supply chains.  They have offered retailers large amounts of detail about the movement of their stock to help them refine information about, for example, which colours and styles are selling and which offers are working.  Some retailers have taken a more innovative approach to RFID.  For example, Burberry uses RFID technology in its flagship stores to activate changing room mirrors to display for the customer information about the clothing they are trying on. 

In many ways, Beacons may be the next generation of technology in terms of their use in innovative areas relating to enhancing consumer experience  whereas RFID tends to be more suited to in-store infrastructure.  RFID is likely to continue to be used largely behind the scenes to manage supplies, both online and in-store and to enhance in-store experience by ensuring fully stocked shelves, organised to maximise sales.

Potential risks

Both beacon and RFID technology have the potential to process large amounts of personal customer information, bringing the need to address data protection, security and privacy issues. Last year OpinionLab found that 69% of shoppers had worries about the security of their data and 67% found the uses of the technology comparable to spying. But more positively, over 50% indicated they would be more receptive if they received free or discounted items as a result of the technology.

Businesses should be awake to the potential risks associated with the technology. For example, while offering free wifi in shopping centres can allow all retailers in the centre to share an app and track consumers whilst also making the app more accessible to shoppers, open wifi systems can carry significant threats from hackers and risk compromising the personal information on shoppers' mobile devices.

The risk of data theft is a serious concern.  Hardly a day goes by without news of a data security breach resulting in the disclosure of customer data.  It is essential that retailers making use of personal data prioritise cyber security, not only to comply with the law but also to protect their reputations.

Retailers should also think carefully about how they use the technology to make marketing offers to customers. Communications should only go to those who consent to be contacted and where they are useful and relevant.  This is just good business sense as well as a legal requirement.  Above all, the risk of alienating customers by apparent intrusiveness should be a key consideration.

Mitigating risks

Despite the potential risks, there are positive steps that businesses can take to avoid some of the major pitfalls when using beacon technology. Essentially, there must be compliance with data protection legislation and rules around advertising and marketing communications.  These may include consideration of the following:

Privacy Impact Assessments (PIAs)

  • The PIA is, essentially, a framework to help an organisation in the development stage of a project to anticipate privacy issues, organise its thoughts on any privacy impacts and consider how best these can be managed.
  • Although there is, at present, no obligation under UK data protection law to complete a PIA, data controllers are encouraged by the Information Commissioner's Office (ICO) to adopt PIAs for projects where there may be genuine risks to the privacy of individuals.
  • The ICO has published a handbook on conducting PIAs. The handbook includes a list of screening questions to help organisations assess whether a PIA is recommended and what level of PIA to adopt. In broad terms a PIA will typically be recommended in cases where a project involves (but is not limited to) new or intrusive information technologies such as RFID, beacon and near field communications technology (NFC) which is increasingly used for payment devices in retail.  In fact, a specific framework around the use of RFID has been endorsed at a European level by data protection regulators.

Consent

  • Businesses should obtain positive consent from consumers before collecting and utilising personal data collected via beacon or RFID technology.
  • Consideration should be given to the extent of data usage: the more a business does with collected data, the more explicit the consent it will need. 
  • If a variety of communications are sent out using the data, then tiered consent is preferable.

Choice

  • It should be established whether push notifications are genuine and proportionate marketing or are simply bombarding consumers. Customers should be given opt-in/ opt-out routes for notifications and the option should be left open with a disabling function.
  • Businesses could consider tailoring opt-ins to allow consumers to choose between receiving general or personalised offers.
  • The CAP Code and regulator guidance must be adhered to when advertising and sending marketing communications.

Transparency

  • Consumers should be given transparency throughout the process of data collection.
  • Customers should know exactly what the business will do, how they will go about doing it, where their data will be stored, how long for, the security measures the business will have in place to keep the data secure as well as what their rights are in relation to the information.

Anonymisation

  • Wherever possible, personal data should be anonymised.  There should be continual review of whether the collected information can still be useful without needing to identify individuals.

Security

  • All personal information should be retained securely throughout its lifecycle.
  • Any business transferring data from phone devices to servers should keep data and processing trails clear and ensure that they are subject to robust security protocols.
  • Particular care should be taken around the transfer of any personal data outside the EU.