Data and analytics: using client data safely – an update on data protection laws, regulations, and online privacy
Retail & Consumer Focus
Andrew FawcettPartner,Digital & Data
Ali AbbasovTrainee Solicitor,Digital & Data
With the days of a “one-size-fits-all” for customer care rapidly fading, consumer demand for personalisation in their retail transactions has been growing. It is estimated that over half of consumers now expect the targeted promotions to always be personalised. In order to maintain their customers and achieve new expectations, retail businesses, in turn, have to collect, store, and crucially interpret massive amounts of product and consumer data.
As a result of the rise in the demand for personalisation for consumers, we are seeing the emergence of new issues under data protection laws in connection with it – the issue of hyper-personalisation and the abuse of personal data via profiling.
As part of the UAE’s ‘Projects of the 50’, on 20 September 2021, the UAE issued Federal Decree-Law No. (45) of 2021 Regarding the Protection of Personal Data (“Data Protection Law”). The Data Protection Law came into effect on 2 January 2021 with the aim to align the UAE’s Federal laws with global best practices in relation to data protection and to regulate the collection and processing of personal data in the country. In this article we consider the likely impact of the Data Protection Law on consumer personalisation in the retail sector.
Consumer profiling is a marketing strategy that uses data to create a picture of the perfect consumer who will interact with the product or service of a business. If done correctly, a useful consumer profile will act as a guide for targeted marketing and advertising for the businesses to reach their ideal customers. The process is heavily centred on the consumers’ habits and experiences.
As the amounts of consumer’s data being used in the process of profiling increases, the higher become the chances of the data being abused and the privacy of the consumers being breached. The Data Protection Law has introduced controls and requirements which effectively provide consumers in the UAE with rights and protection against the abuse of their personal data in the context of profiling.
One of the most prominent additions to the regulatory framework that were introduced by the Data Protection Law is the consumer’s right to object to and stop the processing of his personal data if the processing is for direct marketing purposes, including profiling related to direct marketing. This right provides consumers with opportunity to keep control over the usage of the personal data that is being shared by them with the retailers for direct market and related profiling.
“Profiling” is defined in the Data Protection Law as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a Data Subject, including to analyse or predict aspects concerning his/her performance, economic situation, health, personal preferences, interests, behaviour, location, movements, or reliability.
However, it is worth noting that the rights vested on consumers do not by their nature completely prohibit the profiling. It is also limited in its application to objecting and stopping its use for direct marketing.
Another important right vested on consumers is the right to object to decisions issued with respect to automated processing that have legal consequences or seriously affect the consumer, including profiling.
However, this right to object to decisions issued through automated processing is limited, as the Data Protection Law provides that a data subject may not object to the decisions issued with respect to automated processing if the automated processing is part of the terms of a contract entered into between the data subject and the controller or if the data subject has given his prior consent to the automated processing or if the automated processing is mandatory under any law.
Even when the consumer/data subject has the right to object to the decision based on automated processing, including profiling, the consequence is that the controller/retailer should engage human personnel review the automated processing decisions that have been objected to.
The growing number of users present in Metaverse means that the Metaverse will potentially become one of the key marketing channels for retailers. It has been estimated that the presence of global brands in the Metaverse will double in the current year.
Some prominent global brands have already been leaving their footprint in marketing using the Metaverse. For example, Nike acquired a Web3 company, RTFKT, to launch personal sneaker NFT (non-fungible token).
Other examples include famous luxury fashion brands Giorgio Armani and Gucci, which set up virtual worlds, which were built around their brands and were marketing their products. The borderless, unregulated nature of Metaverse exposes the consumers and retailers to a gap in the regulatory framework.
As there is not any UAE law, whether on Federal or Emirate level, expressly covering this particular issue, it is important for consumers intending on engaging with the Metaverse and that are being targeted and profiled by the retailers as the result of this engagement to be clear how their personal data is to be used and what purposes the consumers are consenting to.
Another popular method of targeted marketing is via the SMS messages sent to the consumers’ phone mobile numbers. The numbers are usually obtained by retailers via various registration forms which are being filled out by consumers, and in most of the cases, consumers are aware and consent to the promotional offers and targeted marketing to be sent to them via SMS.
Retailers who use this method of direct marketing need to adhere to the critical requirement of prior consent, from the recipient to the service provider (such as Etisalat, Du, or Virgin Mobile in the UAE), to the receiving of promotional SMS messages on the service provider’s network. The requirement has been introduced in the Mobile Spam Regulatory Policy (“Mobile Spam Policy”) Version 1.0, which has been issued by the Telecommunications and Digital Government Regulatory Authority (“TDRA”) in 2020.
Retailer should note that under the Spam Policy the service providers are required to include certain terms and conditions in all messaging services contracts. These include, amongst other things:
Consent shall be sought from mobile subscribers in accordance with the Mobile Spam Policy before any marketing text messages are sent by the retailer.
Effective unsubscribe facilities shall be made available to mobile subscribers who receive marketing text messages.
In the context of direct marketing, even though there is greater consumer demand for personalisation in their retail transactions, both retailers and consumers need to be aware of their rights and obligations under the law, particularly the new Data Protection Law and the Mobile Spam Policy and how these impacts on the sending of targeted marketing content.
Further, as law by its nature tends to be reactive, with our burgeoning digital transformation, and likes of the Metaverse opening up new channels for direct marketing, which have not necessarily been contemplated by existing laws (even the recently enacted laws), the participants in direct marketing in such environment need to take care so that consumer data is not used in a way that the consumer would not expect or permit.
For further information,please contact Andrew Fawcett or Ali Abbasov.
Published in April 2023