Connected Retail: Where next for IoT and GDPR

Apparently, some 26 billion devices will be IoT (Internet of Things) connected by 2020, at least according to one estimate. The use of IoT is becoming increasingly ubiquitous - connected devices range from visible fitness and health wearables to less visible IoT devices embedded in fridges, heating systems, vehicles and cloud platforms. It may come as no surprise that Amazon Alexa was the number one consumer IoT gift last Christmas.

At a retail level, IoT presents not only attractive sales opportunities but the potential to broaden a retailer’s customer base, access valuable consumer data, analyse trends and push retail messaging to consumers, all to help facilitate new or incremental sales. These opportunities should of course be exploited only after successfully navigating relevant privacy legislation. GDPR has of course finally arrived. Alas, this is just the beginning of the new data protection journey (as we have all been reminded), not least as retailers now need to prepare for the advent of the new e-Privacy regulation (once finalised at EU level).

“Traditional” online retail has used mechanisms such as virtual shopping lists and scheduled re-delivery slots to allow customers to reorder their favourite items. Now, IoT is rapidly automating this process. One-touch solutions such as Amazon Dash buttons allow consumers to place orders for their favourite items without having to log onto their account or re-enter payment details. Users of digital home assistants can add items to virtual shopping lists or order them for same day delivery with a simple voice command (“Yikes”, we hear you say, “my children think this behaviour is so normal!”).  Smart homes now include IoT-enabled fridges and cupboards that can automatically scan barcodes of grocery items and re-order them. All these sorts of devices offer savvy retailers a sophisticated way to interact with consumers, such as displays that offer recipe suggestions from grocery websites based on fridge ingredients or shopping suggestions that are based on users’ calendar events.

The level of personalisation open to each consumer depends on the amount of personal data she or he is willing to share (“GDPR has at least given us back some control!”) but, with the right permissions enabled, the linking of devices across the home adds new data points to retailers’ data sets. For example, many work-out apps allow users to programme their wearables based on their specific fitness goals and to enter the sports gear they use. Linked together with data from smart cupboards and fridges, this can allow retailers to target consumers with ads (with the right permissions) for certain food, supplements or sports gear. The more IoT enabled devices a household has, and the greater the level of cross-device integration, the more personalised the retailer’s profile becomes. This has given rise to the Internet of Me (“IoM”), a short hand name to describe how online data sets about individuals are becoming so refined that two consumers will rarely share a common customer journey. This is of course exciting and scary in equal measure. 

The ability to push personalised information, ads and offers to consumers via multiple devices may sound like a panacea for retailers, but this level of access also gives rise to a high level of potential risk if the strategy, device and apps do not adopt “privacy by design” from the outset and data protection impact assessments (DPIAs) are not undertaken. Retailers should also be alive to the fact that the definition of personal data is much broader than many realise (especially after the CJEU decision in Breyer v Bundesrepublik Deutschland which related to IP addresses), and this of course triggers compliance with the GDPR privacy regime. Saying that you only process aggregated and anonymous data might just not be the case. 

The sheer quantity of data that linked devices may send to retailers and its amalgamation, including as a result of the use of cookies, IDs, tags and algorithms, increases the risk that a retailer may inadvertently end up processing sensitive personal data. For example, if a consumer with special dietary needs caused by an illness uses a large retailer for both their food and pharmaceutical needs, the retailer may, inadvertently, find itself processing sensitive personal data in the form of information about that customer’s health. Under GDPR, sensitive personal data benefits from special protection and to process it legally retailers may require explicit consent.

IoT presents fantastic opportunities for retailers at so many levels. That said, now that we’re all firmly on the new GDPR journey, it will come as no surprise to know that achieving and implementing a successful IoT strategy means giving proper consideration to privacy restrictions early on in the design process, including being alert to the potential need for DPIAs and obtaining “buy-in” from all relevant stakeholders to the concept of privacy by design.