FTC focuses on in-store tracking and data security

Through a special arrangement, what follows is a summary of an article from Retail Paradox, RSR Research’s weekly analysis on emerging issues facing retailers, presented here for discussion.

Advertising Age recently reported on five expected areas of focus for the Federal Trade Commission (FTC) this year. All five revolve around consumer privacy and data security. This could become an uncomfortable situation for retailers and end up costing time, resources and money if the industry doesn’t act now.

Specifically, the FTC is going to focus on de-identification and re-identification. In English: When your in-store MAC address tracking vendor says he’s "hashing the MAC address so it’s not readable," he’s de-identifying the data. When your not-so-friendly neighborhood hacker "defeats the hashing algorithm and reconstructs the MAC address," that means it has been re-identified.

The FTC is also focusing on data security. I don’t think the agency has much of a choice at this point. The data gathering industry just has not proven it can be trusted to secure the personal data that’s gathered routinely, rented and shared.

All this is by way of giving some good advice. If you decide to implement any form of in-store tracking and/or sharing data with others, it’s very important to follow some basic best practices:

1. Ensure your selected vendor has a real and ongoing commitment to securing and encrypting any data gathered on your behalf. I don’t know how many ways we can say this: You cannot have a static standard in an evolving world. A good friend of mine’s father was a cryptographer in World War II. He always told her, "If it can be encrypted, it can be decrypted too." That means those encryption standards have to be continually changed — whatever they are. There is no magic bullet.

2. Ensure your opt-in/opt-out policies are clear and readily visible in your stores and on websites. If you’ve got location tracking enabled in store, visible signage really should read, "If you do not want to participate, please turn off WiFi/Bluetooth" (depending on your tracking mechanism). Yes, I do believe it should be that specific. On websites, if a customer buys something and checks out as a guest, be very clear that her data will be kept for a period of time and explain why.

3. If you’re going to share data you collect with data brokers, be clear about it. Right now, all consumers get is, "We will never share or rent your data" from sites that are opposed to the idea. That’s a very good thing, but the transparency in the other direction is pretty important too. "Your data can be shared with others."

BrainTrust

Discussion Questions

What standards around the use of consumer data should become standardized across retail? What minimal level of transparency should retailers adopt around consumer tracking?

Poll

8 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Phil Rubin
Phil Rubin
10 years ago

The standards around consumer data and privacy should be full transparency. Paula is right that we should all expect increasing regulation and policing from the FTC in this area and it’s actually about time. Too many companies – and marketers – are simply too irresponsible about their use of customer data. Let the brands that develop bona fide relationships and trust with their customers prevail.

Gib Bassett
Gib Bassett
10 years ago

Target’s experience suggests that consumer data should become an asset to be protected like money and receive the proper attention.

That’s not too far-fetched when you think about competitive retail in the future depending wholly on insights that are as much in-step with a consumer shopping mindset as is technically possible.

In terms of transparency, it may be a good idea not to hide data privacy and usage details in the fine print of the retail website. Instead, create a preference center where it’s clear the intent is to respect and secure individual data for the purpose of providing a superior shopping experience. Make it easy for the consumer to opt into and out of communications without multiple confirmation steps or a long latency between making a request and responding.

Ken Lonyai
Ken Lonyai
10 years ago

Paula’s article touches upon key points. I believe if the industry wants to be forthright and trusted by shoppers, they have to put their practices in the light of day.

I recommend a standard signage format with minimal verbiage in common English, supported by iconography, be posted inside the entrance of every physical retailer, delineating their data gathering/tracking practices and how consumers can opt-out. Doing so would send a message that the consumer is in control of their data, privacy, and shopping experience.

A trade group like the NRF could lead the discussion and create proposed guidelines for retailers to work from.

Camille P. Schuster, Ph.D.
Camille P. Schuster, Ph.D.
10 years ago

Clear signage and information should be visible and readable. In the US, research shows consumers are willing to give some data in return for something of value. So the clear language suggested in the article will not scare those consumers away. Vigilance regarding the security measures used by any organization handling your consumer data is critical because ultimately the fault for any breach will come back to your company not your outsourced provider.  Remember to provide value to consumers who share their data or they will stop being willing to share. If you can not provide value, as perceived by the consumer, and do not ensure security or privacy, consumers will balk at having their data collected.

Ryan Mathews
Ryan Mathews
10 years ago

I think this is a very dangerous area. The industry clearly needs to develop tough standards before they are forced on it.

Specifically, issues associated with privacy, ownership of data and — of course — security are all IEDs (information-based explosive devices) just waiting to explode.

As to what the minimum level of transparency should be, I’d advocate nothing less than full transparency.

Bill Davis
Bill Davis
10 years ago

Enlightened retailers will adopt full transparency, but this will be more the exception than the rule, unfortunately. Retailers should have a consumer’s permission to collect data as well as to use it.

And protection of consumer data needs to have a higher priority. Target being hacked on the scale it was is a clear sign that this is still a work in progress for most retailers.

Ralph Jacobson
Ralph Jacobson
10 years ago

Great article, Paula! This is a challenge that will probably be with us for some time yet. Additionally, what about outside the U.S.? As soon as consistent standards are in place in the U.S., the hackers will catch up to them, as you stated. Further, at what point will international standards be effectively implemented?

A good approach for merchants today is to communicate with shoppers via complete transparency so there are no surprises. Additionally, technologies available in the market place from several vendors have very cost-effective solutions to help safeguard data very well.

Consumer tracking needs to be maintained. With proper customer communications to ensure that they understand this is to help THEM, by keeping the products they want in-stock at store level, shopper tracking will be embraced more than it is currently.

Gordon Arnold
Gordon Arnold
10 years ago

For the time being, retailers wishing to secure the transaction data they need should consider hard wiring through secure sockets that are monitored for security breaches. This might sound a bit pricy, but it will not take the legal experts and courts long to discover that the current hot topic issues of security breach were IT system mismanagement and cost cutting measures. These realizations should lay the groundwork for some serious settlement dollars and legal fees in the not to distant future.

If the courts fail to slow the haphazard way data is held then the insurance industry surely will.

As for the FTC, well let’s just say that their ability to stay ahead of the curve and shut down data mining is at best a dream that will never come true. Where the retail industry stands to lose the most is with consumers having a clearer understanding of what data security is and where it is. When the customer knows as much or more as the provider, there is no way to remove the negligence witnessed first hand through disclosure and the consequences that will most certainly follow.