With online retailing and use of social media, retailers can build up a treasure trove of data about customers, their personal information and buying preferences. This data can have enormous value. But you need to be mindful of obligations under the Data Protection Act. If you breach the Act, there can be serious consequences in terms of fines (the Information Commissioner can fine up to £0.5m), adverse publicity and loss of customer trust. Here are some key points.
Notification: most businesses need to notify the Information Commissioner of their data processing. It’s simple and cheap to notify. It’s a criminal offence if you don’t.
Privacy policy: where you collect personal information, you have to tell customers what you plan to do with it. This is normally set out in a privacy policy accessible on the website.
E-marketing: for e-marketing (including SMS), you need to have consent (opt-in), except for e-marketing to existing customers similar products to those which they have previously purchased. All e-marketing communications must include a simple mechanism (e.g. a link) for the customer to opt-out.
Opt-outs: a customer must always be able to opt-out of marketing communications. Best practice is to retain them on your database, but suppress future marketing communications.
Cookies: since May 2012, the new rule on website cookies is being enforced. Before your website drops a cookie onto the user’s device, the user must have clear information about the nature and purpose of the cookie and must consent to it. The more sensitive the cookie in terms of personal information, then the more you will need to do in terms of provision of information and seeking consent. An anonymous Google Analytics cookie is different to a cookie which stores personal information so as to deliver targeted behavioural advertising across networks of websites.
Data security: you must put in place appropriate technical and organisational measures to prevent unauthorised access to and accidental loss of data. Substantial fines have been imposed on organisations who have been negligent in their handling of personal data. You must also ensure that you have contracts with third parties who process data for you, to ensure that they provide data security guarantees to you.
Security breach: TK Maxx and Cotton Traders would prefer not to be known for the data loss or theft which they suffered. In the event such a security breach happens, in order to manage risk it is critical to adopt and follow a security breach policy.
Data transfers: the Data Protection Act prohibits transfers of personal data outside of the European Economic Area. In order to make such transfers, legal arrangements need to be put in place to safeguard the data. This might include the transferor and transferee entering into a standard contract in a form that has been approved by the EU or (in the case of transfers to the USA) the US company being registered as a “Safe Harbor”.