The Importance of Privacy Compliance in Data-Driven Retail

As shoppers become more digitally savvy, many are starting to question how retailers are collecting and using their personal information. Despite these concerns, rising rates of omnichannel returns fraud means this data is more important than ever for retailers.

As retailers rely on fraud detection tools and other ever-changing innovations like ChatGPT to enhance the customer experience, they must ensure that these tools are responsibly managing consumer privacy.

As a result of increasing consumer concerns, the National Conference of State Legislatures reported in February that, "at least 25 states and Puerto Rico introduced or considered almost 140 consumer privacy bills in 2023."

In fact, Colorado, Connecticut and Virginia have each passed comprehensive privacy laws, similar to the landmark California Consumer Privacy Act, or CCPA, as they strive to regulate how businesses collect and sell the personal information of their residents. These initiatives are expected to grow and expand across more states in future years.

This regulatory focus on privacy makes it pivotal for retail businesses to understand laws like the CCPA as they continue to introduce more data-driven strategies such as returns-fraud detection.

What Responsibilities May Retailers Have Under These Privacy Laws?

Privacy laws like the CCPA are designed to increase transparency and control for consumers when it comes to what data is being collected about them and how it is being used.

If the retailer relies on a third-party vendor for any data collection or processing, their contracts must specifically outline the details of the data processing relationship.

This data may be collected from a variety of sources including directly from the consumer at a point of sale, via cookies from a website or from third-party sources. And this data may be used by retailers to power multiple technologies and touchpoints such as generative artificial intelligence, loyalty programs, and fraud detection tools.

Currently, all U.S. privacy laws require retailers to provide notice to customers regarding what personally identifiable information is being collected about them, how it's being used and by whom. This is typically found on a privacy notice or privacy policy that may be posted in-store and online.

And, if the retailer relies on a third-party vendor for any data collection or processing, their contracts must specifically outline the details of the data processing relationship.

As an example, if a retailer is relying on a third-party vendor to process personally identifiable information of its customers for fraud detection and policy enforcement, the retailer must have a data processing agreement in place with the solution provider.

This agreement must outline which party is the controller of the data, which party is processing the data, and the obligations each party has in relation to responding to consumer requests or ensuring privacy and security safeguards are employed.

How are Retailers Affected by Privacy Laws?

One misconception about emerging privacy laws is that they affect all businesses and services the same. However, these regulations are complex and impose different obligations based on numerous factors, including the business' purpose for collection and use of the data.

For example, some use cases may require a business to respond to consumer requests to know what data is being held or delete said personal data. Other use cases may be exempt from this requirement. As a result, each retailer should determine to what extent, if any, the privacy law applies to their uses of personal information.

This analysis is not a one-and-done exercise. Each time a retailer uses the data in a new way, or engages with a new solution provider, the retailer must ensure compliance with relevant privacy laws.

With each new application, the retailer must ask how it will use the data, and how that use case is regulated by applicable laws. This may involve implementing processes and procedures to deal with consumer requests to delete or correct their data.

If a retailer chooses to manage processes like automated fraud detection and personalized marketing in-house, they must find a way to segment consumer data across its different uses.

For example, the CCPA grants consumers extensive rights to control how and when a retailer may use personal data when it concerns targeted marketing, but retailers have broader runway to use the data if they are doing so for fraud detection.

As such, if a consumer requests a retailer delete its data, the retailer will need to sort out when the data should be deleted and when it can be maintained.

Do Consumers Have a Responsibility in Managing Their Privacy?

The consumer should feel empowered to ask questions about why there is not one and if any data is collected or used.

The CCPA and similar laws were created to support consumers, but they are most effective when the consumer understands their rights. Consumers should pay close attention to retail privacy policies and consumer notices, which are typically posted in-store and online.

These documents provide transparency about what data is collected and how it's used. Privacy policies are not required of all businesses, but when one is not available, the consumer should feel empowered to ask questions about why there is not one and if any data is collected or used.

As mentioned earlier, privacy laws apply differently to each business. Before a consumer issues a complaint or raises a violation concern, the consumer should contact the business directly to get clarity about the compliance program. If the consumer still has concerns, they can file requests to safeguard their private information.

What are the Exceptions to a Consumer's Privacy Request?

There are numerous exceptions within the CCPA that excuse a business from complying with a consumer privacy right request. For example, if a consumer requests to delete personal information that must be maintained by the business to fulfill the order, the request can be denied.

Similarly, a request to delete can be denied if the deletion would inhibit the retailer's ability to fulfill a warranty or conduct a product recall in accordance with federal law. These are just a few exceptions outlined in the CCPA. Each consumer request must be handled on a case-by-case basis as determined by relevant privacy laws for the state that the business relationship resides.

Similarly, some business functions fall under common exceptions to privacy regulations — most notably fraud detection. This is a critical area of focus for retailers because the average retailer incurs $165 million in returns for every $1 billion of merchandise sold, with 10% of these returns being fraudulent.

Therefore, a consumer's request to delete data may be denied, so retailers can protect themselves from fraud. This is a critical exception because fraud detection often relies on consumer data to identify patterns and stop repeat offenders.

How is the Exception Used for Returns-Fraud Detection?

Retailers may rely on a few different data sets when analyzing purchases and detecting returns fraud. The most common is point-of-sale data. This includes how many purchases a consumer makes versus the number of returns made, how much money the consumer spends per purchase, and how frequently they make returns.

Without the ability to identify and deter returns fraud, retailers would have to restrict returns to avoid the unmanageable costs driven by those who commit return fraud. This would negatively affect all consumers and create friction in the shopping experience.

Returns-fraud detection teams and solutions will also track which payment methods are used by each consumer, like credit cards, store credit, loyalty points and cash. They may also consider where the consumer is shopping in comparison to where they are making returns. Finally, common identifiers are used to link consumers to their transaction history including names, addresses, emails and loyalty card information.

While this might seem like a lot of data to maintain on a consumer, the alternative to maintaining this information to detect fraud would be stricter return policies for every consumer — good or bad.

Without the ability to identify and deter returns fraud, retailers would have to restrict returns to avoid the unmanageable costs driven by those who commit return fraud. This would negatively affect all consumers and create friction in the shopping experience.

As a result, the fraud detection exception incorporated into the CCPA and similar laws ultimately helps to protect both retailers and consumers.

What's in Store for Retail Consumer Privacy?

The retail landscape is constantly evolving, and as a result, privacy laws will grow and change as well. As retailers navigate these changes, it's imperative that they understand their rights and protections, and pass this information along to their customers.

Privacy will remain top-of-mind for shoppers in the coming years. The retailers that adapt to ever-changing privacy laws efficiently and effectively will experience stronger customer relationships, and in turn, heightened profitability.

This article first appeared in Law360.
This article is for general information purposes and is not intended to be and should not be taken as legal advice.