Harnessing the value of augmented shopping through responsible personal data handling
Augmented shopping is opening up new and exciting ways for retailers to both engage with consumers in the digital space, and, in the same click, manage real world stock management and sustainability issues. It’s an exciting progression and a new era in the retail industry. But as these experiences are typically powered by personal data, there are important legal data protection issues that retailers should be aware of when designing augmented shopping experiences for their customers. This article explores the role of personal data in augmented shopping and what proactive legal principles and considerations this triggers.
What is augmented shopping?
Augmented shopping is the overlay of digitally created 3D content onto a customer’s real-world imagery or environment to enable the customer to engage with brands and products via personalised digital experiences. These include “try on” experiences for products that a customer wears, such as make-up, glasses, and shoes, and “try out” experiences for products placed in a customer’s environment, such as furniture and home décor.
Augmented shopping has exceptional benefits for both customers and retailers. For customers, augmented shopping provides an opportunity to digitally “try before they buy” from the comfort and convenience of their own home. For retailers, augmented shopping can drive revenue through increased conversions of browsers to buyers and decreased product returns, as customers have already digitally evaluated product suitability. Reducing the volume of product returns also has positive implications for a retailer’s ESG profile.
Augmented shopping experiences have grown exponentially in recent years, fuelled in particular by the pandemic and the shift of more of our everyday interactions to an online format. Retailers in many spaces will therefore want to consider making augmented shopping experiences available in order to capitalise on the benefits they offer and remain competitive.
The role of personal data
In offering a personalised experience, augmented shopping typically involves the processing of personal data. This may take the form of a selfie, uploaded to try on different lipstick shades (such as Mac’s “Virtual Try-On” feature), or a picture of a living room, uploaded to see how an armchair would suit a particular corner of the room (see John Lewis’ “Virtual Sofa” feature). Where this data can identify individuals, it will be “personal data” falling within the scope of data protection laws.
Data protection laws in the UK and EU (as well as in many other countries) impose a comprehensive raft of obligations on organisations that use personal data as controllers or processors, and the penalties for non-compliance can be serious. Under the UK GDPR, penalties include statutory fines of up to £17.5 million or 4% of global annual turnover, compensation obligations to individuals, stop processing and deletion orders, and in some cases, criminal offences. Worse yet is the risk of compromising customer personal data, losing consumer trust, and damaging brand reputation.
On the other hand, by ensuring augmented shopping experiences only process personal data in ways that are compliant with data protection laws, and by demonstrating that the protection of consumer data is a top priority for their business, retailers can win consumer trust. Robust data protection governance can therefore be a strong enabler to product and business development and allow retailers to confidently harness the value of augmented shopping.
Data protection by design and the data protection principles
Considering the data protection implications at the outset of designing your augmented shopping experiences is vital. The GDPR’s “data protection by design” obligation (along with the related “data protection by default” obligation) requires organisations to implement technical and organisational measures to ensure that the data protection principles are ingrained into product design and complied with at every stage of the processing lifecycle.
For a retailer, this means taking steps to ensure and demonstrate that its augmented shopping experience effectively implements the following data protection principles:
Lawfulness, fairness, and transparency
Ensure you have an appropriate lawful basis for processing the personal data (and that your use of that data otherwise complies with the law), and that your data processing is not unexpected or misleading. Additionally, ensure that customers are transparently informed of how and why you are handling their data. Transparency is a fundamental aspect of responsible data processing because customers have a right to understand, in a clear and comprehensive way, how and why you will use their personal data.
Zoom in on lawfulness – example
The lawful basis of consent is likely to be most relevant in the augmented shopping context because the customer will usually have a genuine choice about whether to participate in the augmented shopping experience. For consent to be valid, retailers need to ensure that it is collected, recorded, and managed in line with the GDPR and potentially also electronic marketing laws. The performance of contract lawful basis may also be appropriate in some circumstances.
Zoom in on transparency – example
A “just-in-time” privacy notice is an effective way of communicating information about how and why you will process a customer’s personal data at the moment it is collected. If presented well, privacy notices can be a fantastic opportunity to win consumer trust – most complaints arise when people do not have visibility over what you are doing with their information.
Purpose limitation
Ensure you have a defined purpose for processing the personal data and that you do not use the data for any other purpose unless it is compatible with the original purpose.
Zoom in on purpose limitation – example
If you collect the personal data solely for the purpose of allowing the customer to try on a product, it would not be acceptable to use the customer’s image for a completely different use case, such as commercial research and product development purposes (e.g., understanding what types of facial features your customer base has, or training AI algorithms) or for targeted advertising (e.g., advertising only certain shades of make-up to the customer based on their skin colour).
Data minimisation
Ensure you only process personal data that has a rational link to your defined purpose and that you only process the minimum amount of data required to fulfil the purpose.
Zoom in on data minimisation – example
In relation to augmented shoe shopping, it may only be necessary for customers to upload an image of their foot. However, it might also be possible to justify the processing of a full body image if it more effectively allows the customer to evaluate the suitability of the product.
Accuracy
Ensure that the personal data you process is accurate and not misleading.
Zoom in on accuracy – example
Heavily airbrushing a customer’s selfie before overlaying a pair of glasses could be considered to be misleading if the individual is expecting the augmented shopping to be a realistic rendering of what the glasses would actually look like. You should also make the customer aware (and obtain consent, if applicable) if you are going to alter their personal data as this is a form of processing.
Storage limitation
Ensure you do not keep the personal data for any longer than is needed to fulfil your defined purpose.
Zoom in on storage limitation – example
In many cases, personal data collected as part of an augmented shopping will be processed in real time and will not need to be stored at all. In other cases, the defined purpose (and consent, if applicable) may permit the storage of personal data on a customer’s user account so that they can return to the augmented images to reconsider purchase at a later point in time. However, thought must always be given to what a reasonable storage period is in light of the defined purpose - indefinite or long term storing of personal data for augmented shopping-related purposes is unlikely to be justified. However, if personal data can be effectively anonymised, this will not be subject to the same restrictions.
Integrity and confidentiality (security)
Ensure you have appropriate technical and organisational measures in place to protect the personal data.
Zoom in on security – example
Strong security measures need to be applied to real time processing of personal data as well as the ongoing storage of personal data. This includes considering measures such as encryption, pseudonymisation, access controls, staff training, incident responses, and system restoration (as appropriate in the circumstances).
Accountability
Accountability is a broad principle that is at the heart of the GDPR. It requires you to take responsibility for your processing of personal data and to ensure you can effectively demonstrate compliance with your data protection obligations.
Zoom in on accountability – example
Consider having a dedicated internal policy in place that sets out all your policies and procedures applicable to the processing of personal data for augmented shopping purposes.
High-risk processing and data protection impact assessments
Retailers should also consider whether their augmented shopping experience is likely to involve processing of personal data that poses a high risk to individuals. If so, they will be required to carry out a “data protection impact assessment” (DPIA) to identify and manage risks.
The UK’s data protection regulator, the Information Commissioner’s Office, has made it clear that the use of innovative technology, including AI, can commonly – even if incidentally as opposed to by design – result in high-risk processing, especially when combined with other types of high-risk processing. For example, this might include collecting information that would reveal special category data, such as health data related to a skin condition. Therefore, retailers will want to seriously consider carrying out a DPIA when designing an augmented shopping experience.
Personal data flows to other parties and overseas
For the most part, data protection laws recognise that there may be legitimate reasons for sharing personal data with other parties and transferring personal data to other countries (including to your own corporate family members in other countries). However, there are certain rules and standards that must be met in order to do so.
For example, if a retailer needs to share customer images with a third-party service provider to assist with transposing the digital renderings on to the images, the GDPR requires certain mandatory contractual terms to be in place between the retailer and the service provider. These ensure, for example, that the service provider protects the personal data, assists the retailer with some of its own compliance obligations, and does not use it for its own purposes. These requirements also need to be flowed down the supply chain.
Additionally, if the service provider is based in another country, the retailer may need to put appropriate transfer safeguards in place and carry out a transfer impact assessment under the GDPR. These steps aim to ensure that the personal data remains protected when it becomes subject to another country’s laws and practices. Personal data transfer rules can be complicated but they are important to get right because they receive high scrutiny from regulators (the highest GDPR fine to date has been for personal data transfer violations).
Responding to customer requests to exercise their data privacy rights
Retailers should also not forget that individuals are guaranteed certain rights when you process their personal data. These rights are not absolute, but generally include rights to access the personal data you hold about them, to have their personal data deleted or corrected, and to have the processing of their personal data restricted (amongst others). If you are relying on consent as the lawful basis for processing, the customer can also withdraw their consent at any time, and you must honour this.
It is important that retailers collect, process and store personal data in a way that allows them to respond to requests quickly and effectively. Individuals can exercise their rights at any time while you hold their data, and responding to these can be burdensome and time consuming; this is another compelling reason to ensure you delete or fully anonymise personal data as soon as your defined purpose has been fulfilled.
One last thing before you go…
Augmented shopping can have exceptional benefits for both businesses and customers and are rapidly becoming ubiquitous in the retail space. Many retailers will want to consider incorporating augmented shopping into their businesses today to remain competitive and take advantage of the opportunities it presents. However, proactive steps need to be taken to ensure that personal data is properly handled and to mitigate the data privacy risks to your business and your customers.
If done well, a compliant and accountable augmented shopping experience will not only support your business goals but also win consumer trust. Therefore, not only does your augmented cosmetics try-on tool need to capture one’s best side, so does the shape of your data protection compliance.
Our expert data privacy and technology lawyers at Deloitte Legal bring together a blend of hands-on industry experience, legal expertise and imaginative problem solving, allowing us to provide clients with innovative and pragmatic solutions tailored to their needs and risk profiles. Please get in touch today for support launching your augmented shopping experience.
Content from the Deloitte Legal blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here.
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Document/2024-08-15-13-48-16-956-Contractingexcellencemasterclass-August2024_thumbnail_1.png)
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2024-09-10-09-34-55-974-66e012bf097b7a1aca1a6b99.png)
/Passle/5d1eec76989b6e0f3cff1041/SearchServiceImages/2024-11-18-12-45-09-147-673b36d53b36a96609ebbd86.jpg)