European privacy rules threaten to turn ‘know your customer’ into ‘forget your customer’

Matthew Shay
October 28, 2016

The first rule of Main Street is “know your customer.” But under revisions to the E.U. data protection framework that were adopted earlier this year, that may be increasingly difficult to do. In fact, retailers could be required to “forget” their customers altogether.

Earlier this month, NRF organized a delegation of retailers from Crate and Barrel, Dunkin’ Brands, QVC, Tiffany & Co., Whole Foods Market and Walmart to travel to Brussels and meet with U.S. Ambassador to the European Union Anthony Gardiner, senior members of the U.S. Mission and key officials of the European Commission. We went to address our increasing concern over these new privacy rules, which could be a barrier to free trade and to retailers’ legitimate use of customer relationship management practices.

The E.U. privacy framework was developed to ensure that data collected about individuals would be controlled by those individuals. Under E.U. law, individuals can access collected data, correct what they believe to be inaccuracies and — perhaps most notably — demand that data be stricken from a record. The last is the so-called “right to be forgotten.”

The rules govern data concerning E.U. citizens and cover its use inside Europe and its transfer to anywhere else in the world as well. Transfers to countries without what the E.U. deems comparable levels of protection — including the United States — is prohibited. That means U.S. retailers who do business in Europe, or seek to transfer data from Europe, are immediately affected. Furthermore, efforts by the U.S. government to prove it maintains comparable levels of protection are likely to influence U.S. privacy laws as well. Over time, increasingly large swaths of U.S. businesses will be impacted.

Considering the vast amounts of data captured by certain large online companies, it’s not surprising that the Europeans feel some concern. But by trying to develop rules that paint all data users with the same broad brush, the rules miss distinctions that are extremely important to the retail industry and erect boundaries to the free flow of trade.

First, Europeans tend to speak of information as if it is solely the consumer’s data. It is not. At a minimum, it is information about a shared experience.

When a customer shops in a store, his experience is not a secret. The customer knows what he bought and what he paid, just as the store owner does. The customer knows whether the service was friendly, the store was well-lit and if there was a wide selection of merchandise. The shopkeeper might notice the customer’s age, how he was dressed, which products he asked about and whether he was a new or returning shopper. None of those observations are the exclusive property of the consumer. It would be a mistake to treat them as such, because store owners use that information to constantly improve the customer experience.

Nor is it fair, under an imagined “right to be forgotten,” to give every consumer the right to tell a shopkeeper to expunge everything he observes about his customers. Merchants certainly would not insist that shoppers cleanse their minds of everything they observed about a store.

The information about the experience “belongs” to both. It allows consumers to determine whether and how they interact with establishments going forward, and gives business owners the ability to determine which activities and offers are most likely to serve customers’ future needs.

Equally important, the information merchants collect tends to be innocuous or publicly available: names, addresses, preferred sizes, tastes and frequency of shopping in their store. These modest observations help retailers provide their customers with the experiences they want and expect, yet are vastly smaller in size and scope than those gathered by online browsers that follow the consumer, documenting every query or website visited.

Subjecting local retailers to the same intense scrutiny and elaborate operational standards as sophisticated Internet giants all but ensures that traditional customer-focused retailing will be quashed. Attempting to adopt “comparable” rules in the United States would be a nightmare for our industry.

That is why NRF opened these discussions with our European counterparts. Retailers both here and abroad need to ensure that our respective governments understand that the important role businesses play in supporting our joint economies cannot be maintained if one-size-fits-all privacy standards are allowed to squelch customer service.

“Know your customer” is the lifeblood of the retail trade. We hope you’ll join us, and the farsighted companies above, in protecting it.