Businesses of all kinds are making increased use of advanced technology in their marketing and investing more resource in data analysis to enable a much more bespoke approach. At the same, the public are increasingly sensitive to big brother monitoring by businesses "how do they know I was searching for a new car?", "how did they get my email address?" or "how do they know I went past their store on Monday?".
The technology for big data analytics is often developed by innovative technology businesses who concentrate on the cutting edge aspects of the technology and not more prosaic issues such as compliance with data privacy concerns. This point was made forcefully by the Information Commissioner’s Office (ICO) in guidancepublished in December 2013 highlighting the data protection issues that should be addressed by developers of apps.
For business the concern is to ensure that data protection compliance keeps pace with the "white heat" of technological innovation.
How does the Data Protection Act 1998 (the DPA) and other privacy legislation apply?
"Personal data" is defined in the DPA as data that relates to an identifiable living individual. "Identifiable" means that the individual can be identified from that data, either alone or in combination with other information.
The DPA sets out specific obligations on organisations in terms of how they use personal data.
Clearly not all marketing methods using advanced technology will be capable of being classified as involving "personal data" in isolation. However, it is important to remember that if any data, in combination with other information, can lead to an individual being identified, this would make the information "personal data".
Direct electronic marketing is governed by specific rules in the Privacy and Electronic (EC Directive) Regulations 2003 and, as with the Act, the ICO has provided very detailed guidance on the interpretation of this legislation in addition to numerous best practice requirements that should be considered.
The advanced technology marketing methods causing concern
Mobile phone tracking and location data
This enables businesses to pick up media access control (MAC) addresses from customers' mobiles. For example, in the retail context, information can be gathered on how often customers visit a store, how much they spend when they do and other footfall patterns. It can also be used to track the number of people who walk past a store but don't go in.
Businesses are also increasingly sending members of the public – potential consumers – location-specific messages with targeted deals or vouchers via text or apps to smart phones.
Guidance from the ICO has clarified that, individually, mobile phone location data and store loyalty cards are examples of big data analytics which do involve the processing of personal data.
Signing up for free wifi, be it in a store, hotel or coffee shop, involves a customer providing their name, email address and, sometimes, phone number. The internet service provider will have access to this information, and may share it with third parties.
Businesses using customer data through wifi sign-up need to be aware of their obligations under the DPA.
Technology that was initially used exclusively for the purposes of crime prevention, is beginning to assume a role in generating new business. Retailers can now monitor how busy a store is, how long customers stay in certain areas of the store and trends in product choices – what shoppers are both picking up and putting down.
Whether or not a person is identifiable from the CCTV is the main issue here. It is widely accepted that individual customers cannot be identified from CCTV alone, and therefore there is no 'personal data' to be the subject of the DPA.
An area of difficulty could be where CCTV is used in conjunction with other marketing methods, such as phone tracking and/or location-specific messages. This could potentially give rise to a situation where an individual could be identified, such as where they were the only shopper in the store.
A possible way around this may be to segregate the way each system is run so that the information cannot be amalgamated to form identifiable personal data.
Facial scanning video screen advertisements determine the gender and age of the viewer, and this information is used in conjunction with particular times and locations to assist businesses in tailoring adverts.
Video screen adverts are not yet as widely used as other new technologies. It has been argued that the face-reading screens are less intrusive than CCTV monitoring, but opinion is divided and as the approach from the ICO is not clear, considered privacy design is paramount.
Businesses may integrate with applications made by third parties such as payment providers. It is essential that the correct protocols are put in place for the transmission of personal data from one business to another.
What should businesses be doing?
Speaking at a recent European conference Christopher Graham, the Information Commissioner, highlighted a number of themes arising out of research conducted into public perceptions of privacy and data protection. Most commonly, members of the public want to know how their data is being used, to understand the purpose and benefits of data sharing and how secure their data is. With these concerns in mind, it is essential that customers are kept informed about how their behaviour is being tracked, both in the online and physical environments, and how their data will be used. Businesses should be upfront about what monitoring they will be doing and explain at appropriate junctures in the sales (and non-sales) journey the benefits to the customers and how their anonymity will be protected.
Where personal data is going to be collected and processed, customers should be given a clear, fair and unconditional way to opt out of this; businesses should ensure that they obtain compliant consents from customers to process or share their data and certainly before it is used to issue direct marketing.
The consequences of non-compliance can be serious. A fine may be imposed but the greater damage may be the reputational damage suffered if the public perceives a cavalier or otherwise insensitive approach to the handling of personal data.