Loyalty cards, virtual try-on tools, and facial recognition technology: Is retail the next sector to be hit by a privacy scandal?

With the surge in e-commerce and data collection during the pandemic, retail leaders need to pause and prioritise privacy before it’s too late

By Emma Sheppard


March 2023

When was the last time you were asked whether you had a loyalty card while shopping? Or if you wanted your receipt to be emailed to you, rather than printed? In France, the latter will become an everyday occurrence – there are plans to phase out paper shop receipts this year to reduce the amount of rubbish thrown away. 

Shoppers hand over a treasure trove of data to retailers every day, often without thinking much about it. Loyalty cards are often seen as a good way to save money – 95% of Brits are members of at least one. Personalisation is another benefit and it’s something 91% of shoppers say they want, according to Accenture. 

But when e-commerce soared during the pandemic, so too did data collection. And the prospect of what comes next is starting to worry privacy campaigners. 

The allure of new technology

While other sectors such as healthcare and financial services have been shaped by privacy regulation and compliance responsibilities, experts say the retail industry has been slow to address concerns about privacy. With the rapid rise of e-commerce in recent years, many retail brands don’t have large compliance teams to rely on. 

That’s leading to data breaches and cyber attacks. According to PwC, the retail sector is the focus of around 4,000 data security threats every year. In Feb 2023, high street retailer WH Smith was hit by a cyber attack, with hackers accessing some workers’ data. This followed an announcement in January this year of a cyber attack at JD Sports which saw 10 million customers’ personal data compromised.

There has also been a push to invest in omnichannel technologies that promise to make physical retail stores as measurable as websites. In Australia, academics are developing technology to enhance store layouts by using in-store cameras to capture when shoppers raise an eyebrow, open their eyes or smile. Other retailers are using facial recognition technology to run checks when shoppers buy age-restricted products at self checkouts, or to enhance security. Tesco has been criticised for effectively forcing shoppers to sign up for its loyalty scheme by charging non members much higher prices. The chain even barred one man from entering a store at all because he didn’t have the mobile app or Clubcard. 

As such technology becomes mainstream, privacy campaigners are fighting back. In July 2022 the privacy group Big Brother Watch submitted a complaint against Southern Co-operative for its use of facial recognition cameras in 35 of its stores for this reason. In the US, there have already been a number of lawsuits related to the use of biometric data in virtual try-on technology under the Illinois Biometric Information Privacy Act (BIPA). Brands including Dior, Louis Vuitton and Estée Lauder have all had action taken against them. Walmart’s ‘Be Your Own Model’ tool specifically recommends users wear fitted, minimal clothing and heels. While the company does not currently share these images with third parties, there may be plans to do so in the future (although a spokesperson says if that happens, the photos will be blurred and anonymised). 

Seventeen other states in the US are currently in the process of introducing their own biometric data protection legislation based on BIPA so expect more lawsuits in future. In New York City, businesses are now required to post a biometric identifier information disclosure if they’re using facial recognition technology. A recent investigation by a New York Times journalist found only a few are complying.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

A gold mine of shopper information

With the decline of ad tracking on Apple devices and the phasing out of third-party cookies on Google, brands are looking for new suppliers of insights. Retailers have a unique position in that they collect purchase information – not just online browsing behaviour, per other channels. 

Leveraging customer data has become highly profitable for retailers. Many are inspired by the success of Amazon’s advertising business, which is worth an estimated $30bn. They have access to personal information, purchase history, location, financial information, even biometric data and behavioural inferences. Amir Rasekh, director of Nectar350, J Sainsbury’s loyalty scheme and marketing services arm, tells The Financial Times: “Brands have woken up to the fact that as a retailer … you have the ability to understand customer behaviour and personalise advertising based on that.” 

In the US, Walmart was on track to generate $2.2bn in revenue from advertising in 2022. On an analyst call, its chief financial officer revealed advertising was faster growing than the company’s main retail business and had higher margins. Supermarket chain Kroger has also grown alternative profit business units that monetise customer information, worth an estimated $1bn. Its journey into data science started in 2003 with a partnership with Dunnhumby, a subsidiary of Tesco, which was an early innovator in the loyalty programme space. 

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Defusing a ticking time bomb

Using data and technology to personalise a shopping experience, create a more impactful in-store experience, or generate a new income stream may seem like low hanging fruit for the retail sector. But the importance of privacy can’t be ignored. 

Research has found UK consumers are most concerned about their data privacy when they’re shopping online, ahead of browsing social media and using email. And in the US, while 66% of consumers say they prefer to buy from stores that know them and their preferences, 87% are very concerned about how their personal information and data is being used. One general store chain, Trader Joe’s, prides itself on the fact that it doesn’t collect any data on its customers at all. And it’s worth noting that the target of the very first financial settlement made under the California Consumer Privacy Act (CCPA) was the retailer, Sephora to the tune of $1.2m.

In the past, retailers have collected data in a piecemeal, siloed fashion. As this becomes more streamlined, leaders must be aware of the ethical and legal need to prioritise privacy every step of the way.

More to watch and read