CONTINUE TO SITE »
or wait 15 seconds

Article

Legal risks of new retail applications

New technology offers retailers a business boon. Are there possible legal ramifications?

November 18, 2010

Ever-advancing technology and consumer-driven culture are increasingly intertwined in today’s marketplace. Businesses are able to track customer habits, offer instant rewards for desired behaviors, tailor discounts to individual customer taste, and build brand exclusivity – all from having access to personal and biometric information provided by the customer herself in exchange for access to insider deals.

Cutting edge and business savvy, yes, but what’s the catch? Although giving out the occasional email address for a special discount or submitting to a fingerprint scan seems innocent enough, the prevalence of providing one’s personal and biometric information, and the extent of this information maintained by businesses, heightens privacy concerns to unprecedented levels and, along with it, presents legal risks for businesses that collect it.

Virtual loyalty programs

The epitome of this union comes in the form of smartphone shopping apps. One of the most recent and highly developed of these apps is called Shopkick. A customer downloads the app, and activates it on her smartphone. Then, when she walks into a participating store, a device called a deducer that is installed in the store emits a high-frequency, inaudible sound that the smartphone senses. Once the smartphone picks up the signal, it alerts the company that the customer is inside the store. Because the store knows the consumer is present, it can send her coupons for immediate use, which she can then redeem by giving the cashier her phone number.

Customers also earn loyalty points from Shopkick’s rewards program in return for their in-store behaviors. For example, bar codes placed in a clothing store’s dressing room allow the customer to swipe the bar code with her smartphone camera, telling Shopkick that she tried on clothing (a desired in-store behavior) and receiving rewards for doing so.

In using the app, the consumer is also giving the store access to a wealth of information. Retailers learn about specific consumer shopping habits because they know what the consumer is doing while inside the store — where she goes, what she purchases, what she tries on, how often she visits. With this information, retailers can provide more personalized service to their customers using concrete consumer data, while also influencing customer behavior by offering discounts and other rewards.

But this mutually beneficial development is not without downsides. One of the primary legal risks relates to privacy concerns over tracking and storing customer information. Similarly, downloading apps like Shopkick requires customers to register and provide personal information to the company, and there are concerns that the privacy policy may not be strict enough, particularly since, even though it is not intended for children, many children have virtually unfettered access to the internet and smartphones. As a result, young people may be providing sensitive personal information about themselves to companies, which treads very close to the Children’s Online Privacy Protection Act (“COPPA”) prohibitions about collecting information from minors.

Although companies can shield themselves from potential liability by arguing that this information is given voluntarily and, in the case of Shopkick, consumers have to download and turn on the app in order to be tracked, there is still the possibility for this information to be leaked and combined with other information in existing online or offline databases to create a profile complete with a person’s health, family and financial information. Users of Facebook are currently seeing this increased risk first hand, following reports that some popular Facebook applications have been selling personal information from users’ profiles to third parties.

Because this is an ever-evolving area, the risks presented by unauthorized use of this detailed information if the information is stolen mandates that extra precautions be taken to prevent breaches. System weaknesses must be identified before issues arise, and security measures must take into consideration that information can be compromised both by criminally-minded outsiders as well as internal employee or computer errors. Employees should be trained to identify and report activity such as unauthorized access to private information. Transparent privacy policies should specify how information is stored and used, and this information should be readily available for employee and consumer reference. An action plan must also be in place for timely notifying consumers, law enforcement, and financial institutions as required by federal and state laws and regulations should a breach occur.

Biometric scanning

Biometric scanning is another increasingly popular tool for obtaining consumer information. Biometric scanning is a method of identifying individuals through the recognition of intrinsic physical or behavioral traits. These traits include fingerprints, palm prints, facial features, DNA, retinas, irises, odors, rhythm, gait and voices.

Businesses have increasingly been using biometric scanning to identify people. To simplify checking in at the gym, for example, facilities are using fingerprint scans rather than membership cards. Exclusive social clubs are using fingerprints for their members to gain entry through the front doors. One appealing attribute for businesses using the scanners is the appearance of being “on the cutting edge.”

In a related practice, some night clubs outside of the United States only grant patrons entrance after submitting to a photo and a scan of their identification and fingerprint. The stated intent behind the scan is to crack down on alcohol-related violence because the clubs will be able to identify banned patrons or patrons who commit crimes. In using these programs, however, the clubs also receive regular reports with information about the gender, age and area of residence of their clientele to assist their marketing strategies.

And these trends aren’t just for adults. Schools are using biometric scanning as a method for students checking out library books, as well as keeping track of children receiving subsidized meals — both for accounting purposes and to allow parents to monitor their children’s habits. Likewise, some skate parks are requiring children who wish to use the park during certain hours to submit to scans in an attempt to cut down on bullying and vandalism. Theme parks also use biometric scans to ensure passes are only being used by the purchaser.

These methods clearly have efficiency and accuracy benefits, but the nature of the information stored comes with risks. Submitting to a few-fingerprint scans here and there is probably harmless, yet fears arise about the cumulative impact of submitting to numerous scans throughout one’s daily activities, giving new meaning to “Big Brother.” And because biometric information is unique to each person, if it is compromised, it is irreplaceable and the victim is at a total loss. It goes without saying that fingerprints cannot be reissued like a lost or stolen credit card or a social security number.

Biometric scanning of children has raised additional concerns because, even though such programs are voluntary and require parental permission, children inherently have lesser ability to consent. And if a person’s biometric information is compromised at an early age, he conceivably could be disadvantaged for his entire life.

And not only is this loss devastating for the individual, but the company that failed adequately to secure or encrypt the biometric information will suffer legal and business consequences as well. Just like with other personal identification information, biometric information must be carefully protected, and action plans must be in place to deal with potential breaches. Further implications also arise in instances such as bankruptcy because the database of biometric information can be sold to a third party as an asset. That is exactly what happened when the CLEAR airport security business went bankrupt.

As technology continues to advance leaps and bounds while becoming more accessible to people of all ages and businesses of every variety, the opportunities — and the risks and consequences — will continue to grow as well. And while consumers need to be mindful of the increased risk of indiscriminately providing personal and biometric information, companies wishing to stay on this cutting edge must first and foremost protect themselves — and in turn consumers — by exercising increased diligence in properly storing, disseminating and destroying customer information.

Stephanie Sheridan is a partner and Alison Williams is an associate with international law firm Sedgwick, Detert, Moran & Arnold LLP. (Photo by Marco Arment.)

Related Media

Marketing
From storefront to screen: A modern retailer's guide to leveraging technology for success
AI
AI-powered digital avatars: The next frontier for retail CX
Technology
Augmented reality and virtual reality: Reimagining try-before-you-buy
General
2025 State of the Industry: Store Innovation Report
Presented by Toshiba Global Commerce Solutions, Inc.
Recent Posts
Hello Sugar taps PolyAI to automate customer experience
Bassett Furniture deploys photo delivery strategy
Lowe’s, NFL players team on marketing campaign
Wawa expanding into middle Tennessee
How The UPS Store delivers best-in-class retail customer experiences


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'