Data Dangers: Privacy Risks Facing Every Luxury Player

The use of data and analytics is arguably indispensable to any business in this time and age, but with the advantages of modern tools, come risks that every executive should be aware of. Here, cyber security practices expert Harry A. Valetk exposes what to watch out for.

Last year, the Luxury and Fashion practice group of international law firm Baker & McKenzie launched the Global Legal Guide for Luxury and Fashion Companies, the first-ever comprehensive global guide to all legal matters relating to the $254 billion industry. It includes contributions from more than 225 lawyers and economists across its global practices.

In the third instalment of this ongoing and exclusive series with Luxury Society on luxury legal issues, Baker & McKenzie summarises a detailed chapter, included within the Guide, explaining the risks and resolutions that every executive should be aware of when using data and analytics in everyday business.

Digital profiling and data analytics to promote sales and forecast fashion trends are increasingly common in the luxury goods and fashion industry. Wearable devices and garments are more popular than ever.

Embedded sensors can now monitor movement, location, and heart and breathing rates using accurate and affordable cloud-based solutions. Big data products are behind a new wave of retail analytics designed to more reliably predict ideas for colors, fabrics, and cuts in search of a competitive advantage.

In the midst of this transformation, in-house counsel must monitor the privacy and security risks associated with collecting, using, and sharing so much information about individuals, take reasonable steps to comply with applicable laws, and manage the business expectations of active regulators like the Federal Trade Commission (“FTC”).

Many government agencies, state Attorneys General, and other regulators are authorised to enforce privacy and data security laws. But luxury and fashion companies in the United States should pay close attention to the FTC’s guidance and string of enforcement actions. This is because the FTC has broad powers to promote consumer protection, and eliminate and prevent anticompetitive business practices.

And it can pursue regulatory action against any company that fails to treat consumer information responsibly inconsistent with law or regulatory guidance. In determining whether a company’s privacy and data security practices are unfair or deceptive, the FTC applies a reasonableness test. To assess reasonableness, you must ask the following question:

Are your company’s practices reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities?

Mr Porter, London Offices

The following summarises several precautions and regulatory expectations on privacy taken from the FTC’s guidance and its active enforcement record:

1. Secure consumer information. Respond quickly and reasonably to known vulnerabilities. Inexperience is not a defense or excuse in mismanaging consumer information. In some instances, you should retain outside experts to address data security problems that exceed your internal abilities. A recent example includes the issue with VTech, which makes a wearable for kids. Its customer database, which includes the information of 4.8 million parents and 6.4 million children, was compromised in November of 2015. VTech’s hackers were able to gain access to children’s photos, chat logs, children’s names, genders and birthdates, account email addresses, passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses, and download history.

2. Encrypt sensitive information. Encrypt data whenever possible, especially if it is sensitive consumer information in-transit and, in some cases, at rest, unless some legitimate reason exists not to do so. When it comes to wearables, geolocation and health-related information can qualify as sensitive information.

3. Access controls. Limit access to sensitive information and employ other widely used tools to address known risks within the company or industry. This includes secure destruction of electronic and physical media, physical asset management, and data loss prevention mechanisms.

4. Train your employees. Train your employees on the proper use and protection of consumer information, especially if you maintain sensitive information. This is particularly important because many data breaches occur as a result of human error or social engineering – for example, e-mail with a link containing malware that enables fraudsters to access corporate systems.

5. Use Big Data responsibly. Explain how consumer information is used, and honor the promises you make about your data practices, including those obtained through big data analytics. In January 2016, the FTC released a new report: Big Data: A Tool for Inclusion or Exclusion? In it, the FTC warns that potential inaccuracies and biases may lead to detrimental effects on consumers, such as the misuse of personal information, perpetuating fraud against vulnerable consumers, and weakening the overall effectiveness of consumer choice. This document provides important insight into how the FTC will enforce its rules.

6. Native advertising guidance. Don’t misrepresent or describe in a misleading way your use of advertising. Native advertising is flourishing across every media platform thanks to the higher click-rate and seamless experience it provides, especially on mobile devices. In December 2015, however, the FTC cautioned businesses against deceptively formatted digital content that gives consumers misleading impressions about the promotional nature of a natively formatted ad. Businesses must take reasonable steps to avoid “deceptive door openers” or other content to induce consumers to view advertising content. Businesses are also responsible for ensuring that native ads are identifiable as advertising before consumers arrive at the main advertising page.

7. Laws outside the US.* Laws outside the US governing the data use are changing drastically and frequently. The European Union, for example, recently enacted new data protection rules that will impact every entity that holds or uses European personal data both inside and outside of Europe. These new rules are so radical, the challenge goes far beyond mere compliance. Organisations will need to adopt entirely new behaviours in the way they collect or use personal data or face stiff new fines. Those new behaviors include documented data mapping, risk assessments, audited compliance initiatives, training, and dedicated officers charged with data protection.

In sum, as more companies in the fashion and luxury industry collect and use data to advance user experiences and drive sales, they should also deploy good privacy and data security practices as a way to manage associated risks in the global marketplace.

To read more about what to consider when using data, and other issues impacting cross-border and multi-jurisdictional privacy issues, request your copy of the Global Legal Guide.

Sources/References

1. See, e.g., In the Matter of Fandango, LLC, FTC Docket No. C-4481, Complaint (August 2014).
2. See, e.g., In the Matter of Upromise, Inc., FTC Docket No. C-4351, Complaint (March 2012).
3. See, e.g., In the Matter of Twitter, Inc., FTC Docket No. C-4316, Complaint (March 2011).
4. See, e.g., In the Matter of Franklin’s Budget Car Sales, Inc., FTC Docket No. C-4371, Complaint (October 2012).
5. Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, Federal Trade Commission Report
6. Native Advertising: A Guide for Businesses, Federal Trade Commission Guidance (December 2015)

To further investigate luxury and the laws that apply on Luxury Society, we invite your to explore the related materials as follows:

- International Arbitration As Litigation Risk-Management In Luxury
- The Bare Truth About Luxury Business & Tax