The Rise of Consumer Data Privacy: Next Steps for Retail

With consumers’ preferences for online shopping encouraged further by the pandemic, and everyday interactions and transactions going online, the sheer volume of data generated has doubled as a gold mine for retail businesses to tap into. In fact, according to a 2021 study, 72% of consumers mentioned that they browsed and shopped for apparel online, with several retail giants indicated as top preferences for online shopping.[1]

With data collected from customer touchpoints expected to increase to 175 ZB by 2025 (upwards from 33 ZB in 2018),[2] data is poised to become the new currency of the era. However, this rapid growth has created its own concerns for the retail industry, including data management and consumer privacy. This is where a challenging duality arises: while the quest for superior customer experience has hyper-personalization, effective recommendations, and customized content as pre-requisites, there has also been an increased demand for privacy, data security, and the right to be forgotten/the right to erase.

In connection with the latter, a study found that 70% of consumers “want to be explicitly required to opt-in before the site shares or sells their personal information” and 64% believe “advertisers should not be allowed to build a profile of me for targeted ads unless I grant permission or opt-in.”[3]

The importance of the move towards an opt-in standard is undeniable given the current economic climate, where nurturing positive relationships with customers is essential to business survival, and where increasing privacy regulations, including the GDPR, CCPA, and data protection bills across countries, can lead to severe penalizations. For instance, in a much-discussed case, a major apparel retailer faced upwards of $200 million in legal fees for exposing a customer’s private information.[4] Similarly, a major children’s clothing retailer, under the latest CCPA guidelines, was faced with a lawsuit after revealing that customers’ names, credit card information, and other personal data had been stolen by hackers.[5]

With newer technologies such as AR/VR fitting rooms becoming commonplace following the pandemic, the question of how sensitive personal information, including facial features, ethnic and racial origins, health data, and biometric data, will be used raises yet another concern. As such data can be shared with multiple stakeholders, including technology providers, suppliers, retailers, marketers, and product developers, it can lead to serious privacy breaches. Further, such data is prone to becoming the target of cyberattacks—necessitating more stringent data-handling processes.

In fact, retailers have begun to take active steps toward ensuring data privacy: a major technology retailer recently announced plans to introduce new features into their OS such that opting-in to data sharing would become the standard, as opposed to general opt-out choices.[6] This expected to create a revolution in the data market, emphasizing zero-party data—data intentionally shared with retailers by consumers—as the new norm.

Done wrong, data privacy measures can impact speed to market and negatively impact brand reputation in the event of breaches or poor customer experience. Done right, data privacy for retail can reduce time to market and regulation-enforced actions, improve customer experience and satisfaction, and ensure that all business endeavors center on customer privacy. The following are a few ways in which retailers can ensure that their data handling processes are in line with consumers’ and regulatory requirements:

Ensuring Customer-centricity in Data Management

A streamlined UX, where opt-in/opt-out, data access, and permissions information is available at a single location, can go a long way in enabling a proactive privacy strategy for retailers.

AI can be utilized here to develop effective multifactor authentication methods for consumer-facing applications. Such applications can also be customized, ensuring that consumers have full control of the data provided to retailers.

Consumer-focused notifications with information on the AI systems handling their information, options for them to have their data deleted from databases, as well as information on stakeholders who have access to their data, can help ensure transparency and create an ongoing discussion on consumer protection and rights.

Customers’ reactions to such changes can also be effective analyzed using data-driven tools to further enhance their retail experience, ensuring that the move towards privacy and greater transparency has the customer at its heart. Another important consideration for any retail business is the move towards a customer data platform (CDP) [7] where all data regarding consumers can be aggregated in a single place, allowing for a more holistic view of them. Such 360-degree information ensures that customer data is not lost, that its various sources are always kept track of, and that data storage and access can be monitored at all times.

AI can further facilitate this monitoring process by tracking and identifying individual sets of data, providing retailers information on the creator and subject of the data, the dataset’s expiration date, and even automating dataset deletion after expiration. Further, as it presents an effective way to process large amounts of data without human intervention, AI is set to become an important way to safeguard sensitive data.

Integrating Privacy into Application Design

As a first step towards achieving sustained customer privacy in the retail industry, security must be baked into the software development policies of retail businesses. Ensuring a focus on privacy from the get-go can help meet security and privacy standards for a large number of applications developed, improve go-to-market times, and highlight data protection as a core USP for retailers. AI can go a long way here in helping retailers develop applications in compliance with regulatory information, build tools to gauge customers’ privacy experiences across various touchpoints, ensure the security of cloud environments, and automate granular actions, such as data cleaning and labelling, to ensure best practices for retail DTC applications. Data privacy solutions that go beyond compliance and regulations can therefore be built, ensuring effectively risk management, proactive security, and better brand building across the board.

Another critical factor here would be utilizing data-discovery-based AI tools to gain a comprehensive overview of the data being collected, for instance, in terms of the scope of private information being handled. Following this, retailers would be better equipped to handle Data Subject Access Requests (DSARs) quickly, ensuring greater compliance with regulations and reinforcing customers’ agency.

AI-drawn data maps can further accurately classify information from various sources, and data-driven approaches can even help detect risk factors for data maintenance. This in turn can help retailers determine spend on data security, examine how various sets of information and systems are directly linked to threat landscapes, and identify areas where improved security can bolster business value.

De-identifying Data & Differential Privacy

As stricter measures to secure customer data have been necessitated by governments and regulatory bodies, and as the complexity of cyberthreats increases, there is the need to go beyond traditional security measures to use AI-driven approaches where data is de-identified before analysis. This ensures that data can still be leveraged to inform diverse business functions, including retail promotions, pricing, marketing, points of sale, and so on, while maintaining individual customers’ privacy. Further, in case more specific information is required, data can then be re-identified for certain specific teams; this ensures that data cannot be linked across functions to determine personal information. As retail businesses handle several complex sources of customers’ data, including location, transaction history, and demographic data, it also becomes important to make sure that only authorized users have access: AI can automate this process, ensuring comprehensive security.

Moreover, going one step beyond de-identifying data, differential privacy is emerging an effective method of anonymizing information. Channels such as surveys, customer feedback forms, and so on can provide rich information on individual users’ habits, patterns, and inclinations. While this information can be fed into predictive models, for instance, to get estimates on spend inclination and store footfall, the risk of data being linked back to individuals still remains. A differential privacy system can randomize information, making such linking back impossible. Data collected can therefore be effectively analyzed by AI & ML models, all the while ensuring that customer identities are protected and regulations are complied with.

Differential privacy has also given rise to federated learning, a technique that involves training prediction models on customer data, while the data remains on devices. As such, raw data remains with the end consumers, ensuring privacy while also providing rich information to businesses to incorporate into their business strategies.

Data Sanitation and Tokenization

As unstructured data, including social media posts, videos, and log files, is proving to be a significant source of customer information for retail businesses, there is a simultaneous need to remove traces of sensitive information to ensure individuals’ privacy: this is where AI can be utilized to sanitize large datasets. Further, data tokenization can also be employed here, where crucial information can be substituted with a randomized token and thereafter stored securely. For example, when sharing information with third-party vendors, customers’ demographic information can be substituted with tokens. After the analyses have been completed, the data can be re-integrated with the retailers’ system, preserving data while also ensuring that the risk of leaks and cyberattacks in a third-party environment is minimized.

Moreover, large and complex customer-facing applications are themselves at risk of attacks from hackers, owing to the extensive customer information stored on retail platforms. Research conducted in 2019 found that 2,799 retail applications running over 509 domains in Europe were compromised, with 4% considered suspect and 27% of them having known vulnerabilities.[8]  AI here becomes imperative to developing intelligent cybersecurity responses: aiding vulnerability management, improving threat detection, and even enabling real-time analytics such that attacks such as credit card fraud can be identified and addressed immediately. With an increase in e-commerce initiatives making more retailers vulnerable to attacks, using AI to identify and fortify risk areas, including mobile applications, test environments, and so on, is crucial in ensuring continued consumer protection and privacy.

With the explosion of data across the retail space in the last few years, customers have expressed increasing concerns about their privacy and the many ways in which their data can be shared and utilized. Given the rising threat of cyberattacks as well, moves towards more advanced applications have been necessitated to ensure a better, safer customer experience. By automating data-handling processes and reducing human intervention, AI can help retailers strike the right balance between personalization and customer privacy, giving them a competitive edge in today’s data-first world.

Delivery Manager

Himanshu Misra