How Tesco and co are testing the limits of customer data exploitation

Sooraj Shah

If a consumer agrees to share information with retailers, can they complain when data about their shopping habits and lifestyle choices are used to milk them for more money?

This means that it is not just a matter of data protection, but of consumer protection, according to Sally Annereau, data protection analyst at law firm Taylor Wessing.

“The DPA and associated regulations apply to the processing of customer data and will be relevant where data processing is connected to targeted pricing.

“However, consumer protection regulations will be equally important here and it is likely that data and consumer watchdogs would act together if there was evidence that, for example, targeted prices were based on browsing behaviour and customer monitoring,” she explained.

When Computing asked the Information Commissioner’s Office (ICO) about this, it said: “When signing up for the loyalty card scheme the individual should be informed about how their information will be used. The information should allow the individual to make an informed decision about whether they are happy for their information to be used in the manner that the organisation intends.

“If an individual believes that an organisation is using their information in a manner that they have not been told about and they do not agree with, then they can make a complaint to the ICO.”

Of course, it is not just loyalty cards that hold personal information. Cookies can also be used to track users’ interactions with an organisation, often across multiple services.

On Twitter, a disgruntled Ryanair customer recently claimed that he looked up a fare on a particular day, which was £123. The next day he checked the fare again and it had risen to £237. Once he had “flushed cookies” the fare returned to £123, he said.

The ICO spokesperson said that, just like the rules regarding loyalty cards, if an organisation was using cookies to track a user’s online activity with a view to targeting them with a price for a product based on their browsing habits, then it would need to provide sufficient information about how cookies are used in that process.

Gartner’s Herschel explained that certain categories of products incur legal restrictions, which mean that a retailer cannot sell a product to two people for different prices. But insurance policies, on the other hand, are usually based on a number of factors relating to personal information, and each person is given a price depending on their circumstances.

“If you apply to take out life insurance, the insurer asks you questions about the activities you do - ‘Do you do sky diving?’ for example. If you say yes to those questions, they charge you more, so this already happens,” said Herschel.

The difference, Herschel explained, is that if a retailer uses customer data from its stores to quote a consumer a price for an insurance package, then the consumer’s general attitude to data privacy is the deciding factor. “Some people are extremely private and do not like their personal information used for any reason whatsoever. Other people think the use of their information will make their life more convenient.

“The logical step for retailers would be to ask customers what privacy level they would like first,” he added.

Thomas Egger’s Walker argued that consumers want to be part of a multichannel environment and to understand why their data is being collected. “Customers are not worried about the use of their data as long as there is no breach of security or third-party use of that data.

“The main thing is, if a retailer keeps adding ways of using the data and updating the policy then the business has to give the customer an option to opt out. They have to do that very quickly and responsively, as stipulated by EU privacy regulations,” she said.

So would a data analytics firm agree to do analysis that might be illegal, or controversial, or fall into a legal grey area? “We don’t do anything illegal,” said Jennings of retail and bank analytics provider FICO. “But you get into a grey area of what is a legitimate use of information.

“FICO’s principle is to use data analytics for something that is mutually beneficial for bank, retailer, insurer and the consumer. So, for example, understanding credit risk is mutually beneficial because banks can make better lending decisions and more people could get access to cheap credit.

“If a retailer can increase their sales in a way that can provide offers that are relevant to the consumer, that is mutually beneficial,” he said.

Additional reporting Chris Middleton


More on Security

G-Core Labs launches stand-alone solution to protect against SYN Flood DDoS attacks

G-Core Labs launches stand-alone solution to protect against SYN Flood DDoS attacks

G-Core Labs and Intel have developed an XDP-based solution providing mitigation of DDoS attacks with low impact on overall latency.

clock 30 June 2022 • 2 min read
Register now: Prevent, protect and recover from ransomware

Register now: Prevent, protect and recover from ransomware

A company is hit by ransomware every 11 seconds.

clock 28 June 2022 • 1 min read
Have a plan for recovery, and then have a backup plan for when the first falls through

Identify your "vital ground" or your cyber effort is wasted

And the road to recovery is to plan, plan and plan again

Tom Allen
clock 16 June 2022 • 3 min read