Future-proofing retail systems with robust data privacy standards

By establishing proper protocols and procedures when it comes to the collection of customer data, retailers can safeguard their brands in an increasingly digital retail environment // By Ritchie Po

The retail environment has changed significantly in recent years, becoming increasingly more digital throughout the operation. This digital evolution has resulted in a range of different impacts, from enhanced efficiencies and more sophisticated predictiveness to improved speed and convenience for the consumer throughout their experiences with brands. It’s allowing retailers to get to know their customers at a deeper level, collecting data from them with each and every transaction and engagement. However, what might be most important for retailers to consider is the critical need for them to understand the limits of collection under different data privacy laws and strictly abide by them in order to safeguard their brands.

Retailers must understand their obligations with customer data

How many times have you bought something, and the cashier asks you for your email address or postal code? Ask them “why do you need this information?” and you’ll find that they cannot respond when challenged. This is because retailers train staff to ask for personal information without training them about data privacy, consent, or the limits of collection. This is not the fault of the front-line staff at the retail level, but a failing at the governance level to sufficiently train their staff on data privacy.

Retailers are always looking for ways to engage with customers and build brand loyalty. This means that they must collect personal information by necessity in the form of mailing lists, advertising, social media engagement, dedicated apps, and customer feedback surveys. Brand loyalty and repeat customers means that retailers are retaining sensitive data such as payment information, shopping preferences, and a history of engagement with the brand. Retailers are now also retaining additional personal information to enhance shopping experiences, such as customer size or measurements, weight, height, or images, which are often uploaded by customers in features intended to try on clothes virtually without ever having to step into a store. Online retailers now also use AI (based on past purchasing history and self-disclosure of measurements) to suggest sizes to customers based on past purchases, to lessen the potential of customer returns based on wrong sizes.

As retailers become increasingly more global, they will have to understand the limits on collection and the data privacy rights of customers across different jurisdictions. For instance, major retailers must understand that the data subject rights for individuals in Europe under the General Data Protection Regulation (GDPR) would not apply to customers in China, Japan, or South Korea, each of whom have their own data privacy rights that differ than those rights conferred by law to Canadians or Americans. Even within the U.S., there are now two dozen state privacy laws that apply to the private sector, in the absence of any federal data privacy laws or regulations.

While these features all greatly enhance customer experience and satisfaction, this means that retailers will be subject to greater scrutiny against an expanding legislative framework. In addition to complying with data privacy laws within the country they operate, retailers may also have to comply with laws at the provincial or state level and ensure that they comply with laws in other countries where they operate or have customers. Each law has different triggers which would apply to retailers.

Additionally, the processing of personal information may be governed by industry regulations. Every retailer works with a third-party payment processing company which means that they must comply with Payment Card Industry (PCI) standards that place additional conditions and obligations on how customer credit card data is processed. Retailers must also ensure that the collection of customer images does not run afoul of any laws governing or restricting the processing of customer biometric data, which would include facial scans, voice recognition, and other genetic data that may identify customers.

Retailers must build in compliance into their overall enterprise risk compliance.

Privacy regulators have frequently fined businesses of all sizes for egregious privacy violations and serious repeated incidents of non-compliance. While big data firms are able to absorb fines up to hundreds of millions of dollars against a multi-billion-dollar revenue stream , even a relatively smaller fine in the six figures would or could wipe out small retailers. A smaller enterprise literally cannot afford to build in legislative fines as expenditures or the cost of doing business the way a multi-national megafirm can.

The more cost-effective way to deal with privacy requirements is to understand the risks for non-compliance and building a privacy management program into the up-front cost of starting up the business. Having a privacy officer would allow retailers to have the thousand-yard stare of the data life cycle and where the accompanying privacy obligations are, and how to operationalize those. This would involve more work than cutting-and-pasting template policies found in the wild on the internet. Ideally, the business should retain

The more cost-effective way to deal with privacy requirements is to understand the risks for non-compliance and building a privacy management program into the up-front cost of starting up the business. Having a privacy officer would allow retailers to have the thousand-yard stare of the data life cycle and where the accompanying privacy obligations are, and how to operationalize those. This would involve more work than cutting-and-pasting template policies found in the wild on the internet.

Ideally, the business should retain a subject matter expert to identify the points of collection of personal data, the risks of data processing, the legislative and regulatory landscape, and how to effectively operationalize and manage the program.

An additional challenge is the desire for some businesses to expand into as many territories as possible. The very nature of online businesses often means that retailers have a greater reach than before and customers come from different jurisdictions, which means they may have different privacy rights and laws. This means that the privacy management program must be robust enough to effectively comply with and manage privacy preferences across different markets.

For retailers that deal with a lot of personal data, a full-time privacy officer should be able to handle all details of the program, from managing the policy suite to reviewing and negotiating data processing and IT security service agreements. For smaller enterprises that may not process considerable personal information, hiring a fractional, virtual, or part-time data protection or privacy officer, even on a consultancy basis, would be the more optimal option.

It is always best to hire a privacy officer, professional, or lawyer to build an effective, efficient privacy management program from the ground up. This ensures that the protection of personal data is organically built into a business. Retailers must deploy AI with care.

As more and more businesses rely upon innovations in Artificial Intelligence (AI), there is also a growing need to feed more data into it to create greater efficiencies and processes. However, enterprises must ensure that the data is not personally identifiable, as that brings up a host of issues.

One of these issues is scope creep. A customer may disclose personal data to businesses for defined purposes for service delivery, compliance, and legal purposes. However, the definition of “business needs” may result in companies stretching the limits of what those purposes are.

When customers give consent to the use of their data, they are confirming the legal confines of what an enterprise may do with their data. Any use of the data that is not otherwise permitted under applicable law is considered an infringement of privacy and may lead to complaints, regulatory audits and investigations, or legal proceedings.

An additional consideration is the reliance on AI by employees. While it is not uncommon to use ChatGPT and other online content generators to produce work product, an organization will have to consider the legal risks of using these products. While personal use of an AI product would be governed by a user license agreement, there are additional considerations and protections that would arise in a formal service agreement with the AI developer. Therefore, retailers should not only formalize how to use AI, but also have governance and formal data processing agreements in place to ensure that they have legal protection against developers that would not be available than if a lone employee were to leverage the product as a single end point user.

Further complicating the matter is that while there are not federal laws governing the use of AI in many parts of the global market, there are laws in other jurisdictions that may greatly effect or even limit the use of AI. For instance, the EU AI Act came into effect in 2024 and is the de facto global standard. Under this law, AI cannot be used unless several risk management and due diligence steps have been completed. These are designed to protect privacy and comply with the tenets of fundamental human rights. Additionally, in the absence of governing laws in certain jurisdictions, a number of advisory bodies have released guidelines on how to safely and ethically use AI, such as those published in early 2025 by the Digital Governance Council of Canada.

While it is not prohibited to use AI as a general rule of thumb, risks need to be identified, evaluated, and mitigated as much as possible prior to its deployment. Even in the absence of governing laws, it behooves a business to organically incorporate privacy and AI ethical use into its governance and enterprise risk model, which would shore up trust in the brand name.

Therefore, while the use of AI is a great innovation, it is not risk-free and it comes with its own set of challenges.

The Personal Touch

When leveraged properly, AI can undoubtedly enhance and elevate customer experience. It can create workflow efficiencies on the retailer’s end, drives engagement and marketing reach, and helps customers with decision-making. However, one must not disregard human interaction in developing brand loyalty.

For the consumer who consciously chooses smaller retailers to shop with, the relationship that’s created between them and those small business owners will keep them going back to the shop. It’s why locals in Paris still buy their daily croissant from the local boulangerie in their arrondissement. It’s why your (or your friend’s) Asian auntie would still buy their preferred cha-siu from the local butcher they know, whose family has owned and operated that shop for decades. And it’s why some commuters grab their morning brew from the independent corner café on the way to the office rather than waiting in line at a larger corporate coffee retailer. Most consumers fit into this category or rely on small businesses like these, that do not have an elaborate or sophisticated in-house IT infrastructure to help sell them daily needs.

For the luxury consumer, an AI chatbot is not the same experience that they would have from a private shopping event or personal appointment. While a YouTube live feed is a great democratizer in granting access to shows, nothing beats sitting in the front row of Paris Fashion Week at the personal invitation of the couture house where the collections are presented for the first time. An AI algorithm may produce the guest list of potential buyers, but that client would buy the entire winter collection only from the atelier’s elegant shop in Milan or on Avenue Montaigne while the designer personally takes their measurements, and attentive staff serve champagne and canapes. And an algorithm would not ask Madame how the children are doing.

Ultimately, the retailers and brands that are able to strike a balance between leveraging AI to create efficiencies in order to enhance operational workflow while still retaining the human touch in customer interactions are the ones that will succeed, helping to drive the future of retailing.