E-commerce has featured prominently amongst retailers during the past decade: there has also been a need to serve customers online. This has had to be done through a web shop, for example: from bricks to clicks. These developments have yielded online retailers a treasure trove of detailed information on their customers and the latter’s spending patterns. At present retailers are seeking to obtain an identical degree of insight into their customers by using tracking technologies in their own – brick and mortar – shops. With their aid it is possible for a retailer to determine the number of customers in their outlet and monitor their movements. However, such customer data collection raises a number of difficulties, especially in relation to privacy and IT security.

The retail sector already makes widespread use of shop and street-level data. In the Netherlands there are department stores which use beacons and other technologies to present offers to repeat customers. A customer heading for the checkout is then approached by a charming young lady asking them to proceed to a special cash register, where they receive a gift as a valued repeat customer. Such a customer is recognised by a beacon in the shop.

In addition, “beacon cover” is available in shopping precincts and even entire towns. The Frisian town of Grou has comprehensive beacon cover, according to the initiators. It involves 60 businesses. The shopping centre, Les Terrasses du Port, in Marseille in the south of France has as many as 190 participating retailers and catering operators. In such areas shoppers are exposed to promotions which vary from issuing coupons to giving away welcome groceries and product information.

Retail data flows are also evident elsewhere. For example, in the clothing industry customers are provided with a body scan to help them find clothes that fit. Other accessories can be displayed with the aid of a mirror fitted with an FRID tag. Manufacturers are also inserting data in chips. In this way it is possible for certain appliances to indicate when a new part needs to be replaced.

Little concern

By employing these technologies retailers are learning a great deal about their customers. Little concern is evident amongst the general public in relation to this. The majority of consumers are prepared to sacrifice privacy in exchange for appropriate, personalised offers. This has been shown in a survey of 2000 consumers conducted in the United States of America and the United Kingdom. Two thirds of the respondents felt it important to receive offers and were willing to sacrifice privacy in return. Other studies reveal that as many as 89% of global consumers opt for a retailer that is able to provide personalised discounts or offers. Nevertheless, it is exceptionally important for retailers to exercise care when “selling” personalised offers to consumers. Various retailers have experienced this, including the American retail chain, Nordstrom.

Nordstrom informed its customers that their location details were being monitored. Consumers were able to specify that they did not wish to assist with this by opting out. Nordstrom received too many adverse responses and consequently stopped doing this in 2013. The same happened to the American chain of coffee outlets, Philz Coffee, which also halted Wi-Fi tracking in April 2014.

It goes without saying that shoppers should be informed of any tracking technologies which are used with the aid of signs or stickers. However, doubts may be raised in relation to the impact of such signs. An American study reveals that alerts addressed to consumers in shops are barely noticed. What is appropriate for a personalised service is the provision of personalised information. For this reason it is advisable to provide information to customers on a one-on-one basis where possible. In the case of passive tracking technologies signs are the only practical solution for the time being (see the box). On the other hand, where active tracking is involved an app may be used to request a customer’s consent and information may be provided as to what will happen to the relevant data. This also applies in the case of any social media or a website of a shop or retail chain which is used to provide personalised offers, stating that the relevant data will only be used by the shop or retail chain concerned.

Monitoring customers legally

The most important legal principles allowing customers to be monitored legally in a shop are mentioned here. They are general principles. In each case one must assess whether the technology that is employed and the manner in which the data is used are legally permissible.

•        Personal data: most tracking technologies use the MAC address of a smartphone or some other device. According to the CBP, MAC addresses represent personal data and the Wbp applies.

•        Tracking customers in one’s own shop: a customer’s consent is not always required in this case. A shop owner may consider it to be in its own legitimate interests to collect data, provided that those interests outweigh those of the consumer, including the latter’s interest in having their data protected. According to the relevant minister, Kamp, it is in a retailer’s legitimate interests to determine the number of visitors to their shop and to monitor shoppers’ movements, provided that this is not combined with other personal data. Although this opinion is not law, his comment does constitute a significant guideline for shop owners.

•        Tracking customers in public areas: if data is to be collected from passers-by in public areas outside a shop, their consent must be sought. This is because passers-by should not need to suspect that they may be tracked. In this case a passer-by’s interest in privacy outweighs the retailer’s interests.

•        Inform customers properly where possible: the privacy regulator, the CBP, believes that customers must always be informed about data processing with the aid of tracking technologies.

•        Make it possible to opt out: where data processing is required in a business’ interests and the infringement of privacy would be limited, a retailer need not first seek consent, provided that an opt-out option is available. If monitoring occurs for statistical reasons, customers must be able to use such an opt-out feature to opt out, according to the CBP.

•        Consent required for profiling purposes: the CBP states that, where a retailer wishes to profile its customers, they will need to seek the latter’s consent.

Comply with the rules governing cookies: the rules governing cookies set out in the Telecommunications Act [Telecommunicatiewet] may also play a role, for example, as soon as information is sourced from a smartphone with the aid of an app or some other device belonging to a customer.


Apart from this, too little attention is still devoted to security in spite of the fact that businesses have a legal duty to ensure that personal data –  for example, personal data sourced from smartphones or other devices – is properly secured against leaks or any form of unlawful data processing. If it becomes known that data has been hacked, 12% of consumers opt out while a further 72% are adversely affected. Other research reveals that 23% of consumers no longer use a credit card, once it has been hacked. The policy pursued by retailers in this respect is often too limited, confining itself to fraud involving payments. More attention needs to be devoted to insurance and the training of staff, who often represent a weak link in relation to security.This is particularly relevant, because data is stored in various ways. A customer’s MAC address is localised, once their smartphone Wi-Fi facility goes in search of a network or this occurs with the aid of an app supplied by the relevant retail outlet itself. In this case the consumer consents to this. Such an app utilises beacons.

Anyone who tracks customers with the aid of technology is very readily involved in personal data processing. For example, this may occur through the MAC address of a smartphone or some other device belonging to a customer. In such a case a retailer is required to comply with the Personal Data Protection Act [Wet Bescherming Persoonsgegevens] (Wbp). The Dutch Data Protection Authority (CBP) regulates compliance with such legislation. It accords priority to tracking and tracing especially in relation to the requirement that customers be properly informed. In addition, the CBP examines whether consent has been requested appropriately and whether an adequate opt-out alternative has been offered. It is important that retailers comply with the regulations, more so now that the CBP will be acquiring greater powers in the future, including the power to impose stiff fines.

Legal issues involving tracking technologies

In legal terms passive technologies are the most problematic, because customers are barely able to exercise any choice as to whether they wish to be monitored by a retailer or not. It is also an open question as to whether a customer can be clearly informed about data processing. In legal terms active technologies may be reconcilable with privacy legislation as long as the customer retains control over their data, can give their consent (for profiling, for example), can halt any data processing if required (opt-out) and can decline any personalised services. In addition, other privacy principles, such as those pertaining to data security, must also be observed and data must not be stored for longer than is necessary. In his analysis, the chief technologist of the American regulatory authority, the Federal Trade Commission, concluded that the legal issues may vary from one tracking technology to another. His analysis has yielded the following overview (see the table).

Publishers: Louise de Gier and Joost Gerritsen, Photo Credits: Peter Gronemann, “Mall of the Emirates” (CC BY 2.0)