Through a special arrangement, what follows is a summary of an article from Retail Paradox, RSR Research's weekly analysis on emerging issues facing retailers, presented here for discussion.
Advertising Age recently reported on five expected areas of focus for the Federal Trade Commission (FTC) this year. All five revolve around consumer privacy and data security. This could become an uncomfortable situation for retailers and end up costing time, resources and money if the industry doesn't act now.
Specifically, the FTC is going to focus on de-identification and re-identification. In English: When your in-store MAC address tracking vendor says he's "hashing the MAC address so it's not readable," he's de-identifying the data. When your not-so-friendly neighborhood hacker "defeats the hashing algorithm and reconstructs the MAC address," that means it has been re-identified.
The FTC is also focusing on data security. I don't think the agency has much of a choice at this point. The data gathering industry just has not proven it can be trusted to secure the personal data that's gathered routinely, rented and shared.
All this is by way of giving some good advice. If you decide to implement any form of in-store tracking and/or sharing data with others, it's very important to follow some basic best practices:
1. Ensure your selected vendor has a real and ongoing commitment to securing and encrypting any data gathered on your behalf. I don't know how many ways we can say this: You cannot have a static standard in an evolving world. A good friend of mine's father was a cryptographer in World War II. He always told her, "If it can be encrypted, it can be decrypted too." That means those encryption standards have to be continually changed — whatever they are. There is no magic bullet.
2. Ensure your opt-in/opt-out policies are clear and readily visible in your stores and on websites. If you've got location tracking enabled in store, visible signage really should read, "If you do not want to participate, please turn off WiFi/Bluetooth" (depending on your tracking mechanism). Yes, I do believe it should be that specific. On websites, if a customer buys something and checks out as a guest, be very clear that her data will be kept for a period of time and explain why.
3. If you're going to share data you collect with data brokers, be clear about it. Right now, all consumers get is, "We will never share or rent your data" from sites that are opposed to the idea. That's a very good thing, but the transparency in the other direction is pretty important too. "Your data can be shared with others."
What is the likelihood that the FTC will follow through on creating standards for data identification/de-identification?