Personal Information Collected by Retailers Must not Perpetuate Discrimination: Expert

Retail industry news delivered directly to you. Subscribe to Retail-Insider.

The recent unsettling reports that US retailer Anthropologie had been racially profiling its Black customers was alarming for several reasons, amongst which it came to light that this was common practice at its affiliated companies Free People and Urban Outfitters (all three are owned by the parent corporation URBN, and all three store banners are in Canada).

Aside from the systemic racism that was perpetuated through operational training and not corrected through sensitivity training, the issue of racial profiling on Black, Indigenous, and People of Colour in Canada and the United States arose at a time when public discourse on the topic is at all-time high. From a privacy perspective, this naturally raises the question as to whether personal information collected by retailers may inadvertently perpetuate systemic discrimination, even if technology and personal data are in and of themselves agnostic.

The concept of “profiling” in data privacy is used heavily in the EU General Data Protection Regulations, commonly referred to as the GDPR. It is defined in Article 4(4) as follows:

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

The GDPR is considered the gold standard in global data privacy protection. Canadian data privacy laws, which has both Federal and Provincial versions that work harmoniously with one another, are deemed to have adequate safeguards similar to the EU’s. Retailers often have EU customers and wish to transfer data across borders to business partners and their own foreign offices, using the GDPR as a compliance mechanism. Even Canadian brands recognize the value of complying with GDPR as a harmonization tactic.

Applying GDPR as a Harmonizing Tactic

In the absence of comprehensive American federal consumer privacy legislation, the U.S. has a framework agreement, known as the Privacy Shield, to permit transfer of personal data between them and the EU. Americans brands also use GDPR as a compliance mechanism to strengthen their commitment to the Privacy Shield. This therefore means ensuring that profiling is performed correctly, because doing so through automation may negatively affect the rights of, and produces potentially detrimental legal effects, concerning natural persons. Under Article 22, all persons under the GDPR have the right to object to any decision based through automated decision-making that includes profiling.

Retailers often compile considerable personal information from their customers, including their home address for delivery, credit card, and other payment information, and purchase history, in order to perform directed marketing (usually in the form of e-mails and SMS texts). For instance, even though a customer disclosing their date of birth to a retailer to qualify for a “free gift” or additional benefit may seem benign, it is still personal information that the retailer must safeguard, the loss of which may result in legal liability if it were compromised.

Additionally, the transaction history a customer has with any brand is also personal data, as is any image of them captured on security cameras while shopping in the store. If a retailer also has a customer’s measurements or images, then that is also considered biometric information. Even metadata collected via web cookies or web beacons while online shopping contains location, traffic, and subscriber (customer) data that is classified as personal data under the GDPR, which retailers may aggregate and use to provide services and create marketing.

With such a rich cluster of information on their customers, retailers are now able to potentially evaluate natural persons and make decisions on their past history with the brand, and make decisions on those customers. This is not necessarily a bad thing if a retailer wishes to better understand their customer and grow their business, particularly if they specialize in a particular niche clientele. Responsible collection of personal information can only help a brand connect with their customers and tailor their goods or services to meet those expectations.

For instance, if a customer spends a certain amount of money per year with a brand, they are likely to be considered the most loyal or the top spenders. However, in combining that data with other identifiers, such as the customer’s address, race or ethnicity, measurements, and credit history, is it possible to profile other customers in the same database to determine and predict behaviour? While profiling as a practice is not in and of itself racist, technology may inadvertently include and exclude key customer demographics. This may mean that automated decision-making through profiling might prevent extending offers and invitations, such as to private sales, credit card offers, or other benefits, to potential customer groups who may not fit the targeted demographic, based on aggregated group identifiers, which may be a form of discrimination. Doing so may imply that a brand is not inclusive, a blight that cannot be explained away by a social media consultant or publicist posting a black square and an apology on social media.

Profiling can be Used for Good

There are ways to use profiling for good, as long as it is performed in a way that is compliant with privacy laws, and in an information-agnostic way that does not inadvertently prevent customers from participating on the basis of immutable characteristics such as race. The author of the article Utilizing PIAs to Limit Institutional Discrimination and Bias recommends that having a privacy officer or legal counsel complete a privacy impact assessment on electronic systems may be a way to uncover unconscious bias that technology does not and cannot recognize.

Similarly, conducting a privacy impact assessment on a project during the design phase, such as marketing surveys or advertising campaigns, is an additional safeguard that can not only help a brand comply with the GDPR and other binding regulations, but also to ensure that unconscious biases are examined and eliminated to promote inclusivity.

In an era when retailers are collecting more and more data from customers to effect service delivery, it is incumbent on retailers to not only safeguard their personal information, but to use that data for good. Privacy and protection of personal information is not just due diligence, but also one of the most effective ways to develop customer brand loyalty, diversify a retailer’s clientele, and commit to the fight for racial equality and equal opportunity. After all, unconscious biases are very last season.

Article Author

Ritchie Po
Ritchie Po is a privacy and cybersecurity lawyer based in Vancouver, with considerable experience in data breach handling and technology procurement. He runs his own practice focusing on data privacy law and is a legislative consultant. He is also the original copy editor for Retail Insider.

More From The Author

Luxury Resell Boutique Mine & Yours Opens Impressive Storefront in Vancouver’s...

The popular retailer has been in business for almost a decade and is now looking at expanding into other markets in Canada.

How Canadian Brands Doing Business with the EU Must Comply with...

Any brand that collects their EU customers’ personal information needs to ensure that their service agreements meet new compliance rules says Ritchie Po.



Please enter your comment!
Please enter your name here

- Advertisement -

Latest Stories

Follow us


all-time Popular