Black Friday and Cyber Monday from a GDPR perspective

cyber monday rgpd

Duties of e-merchants, rights of e-consumers 

Born in the United States and imported to France 2014, Black Friday and Cyber Monday have experienced considerable growth within 3 years, to such an extent that the famous Friday of sensational sales was last year considered by Amazon’s french site “the most intense day of all [his] history”. November 24th 2017 was indeed marked by a record of banking transactions: 42.8 million, 13% more than the previous year. Among the 79% of consumerswho wanted to take advantage of these two days of offers, 89% considered using the internet and spending on average 187 euros. 

A consistent change in a country where e-commerce . But even if they are now 37.5 million to buy online, French people are still skeptical and suspicious about the use made of their personal data by online sellers. According to a study by Obsconso, while 67% of them do not trust brands regarding compliance with the GDPR, 81% are concerned about the collection of their personal data by e-merchants. An apprehension that leads 59% to provide false informations, and 76% to give up content or services too greedy in terms of information requested. 

Those fears and reluctance seem justified regarding the retailers fond of personal data: 50% of French companies practiced “predictive marketing” 2017. This strategy consists in gathering information about the profile of customers, their needs and their desires, in order to anticipate their future behaviours and offer tailored offers, personalize user experience, and also optimize the supply chain. To achieve this, companies use Big Data technologies, applied to data from loyalty programs, web browsing and smartphones. Relevant data is then extracted and analyzed through algorithms. 

A recent example illustrating the appeal of retailers for data collection: the drive-to-store platforms Teemo and Fidzup. While the former offers in-app tools to gather information about users for commercial targeting, the second is specialized in boxes installation to capture wifi signals from smartphones. Installed within shops, they measure the traffic while collecting some behavioral data. But GDPR came into force, and these two companies received a formal notice by the CNIL (French DPA) for not respecting the obligations of consent gathering and not providing information about the data retention period. This year is therefore special: it is the first year online sellers have the obligation to comply with the requirements of the GDPR. This will obviously lead to consequences in the user experience of e-consumers. 

Concrete changes to e-commerce sites

Terms and conditions : though they are present since many years on e-commerce sites, they have to be updated and reflect an appropriate privacy policy. They must contain :

  • The use that will be made of the personal data gathered
  • The duration of their conservation.
  • The commitment to sufficient security measures
  • A reminder to Internet users about their rights (access, modification, erasure…) and an explanation of the procedure for enforcing one’s rights.
  • If applicable, they must report the use of Google Analytics for purposes of tracking attendance.
  • If applicable, the description and the purposes of cookies usage as well as the ability to refuse them without detriment.

In addition, each user must check a non-pre-checked box indicating that they accept the GTC before each purchase. 

Cookies: Two parameters govern their use : informed consent and data retention. Regarding consent:

  • on the landing page of a site, a window must explain the purpose of the cookies;
  • If they are dedicated to behaviour analysis and marketing purposes, recording the consent of the visitor is necessary. One must be able to accept or refuse without detriment.

As for the duration of the conservation of the data obtained thanks to cookies, it varies according to their nature but it cannot exceed 13 months when it concerns statistics, or is used to measure the audience. 

80% of consumers say they favour companies which they trust the most regarding the management of their personal data. This fact highlights the link between GDPR compliance and business reputation. To foster transparency and leverage trust, Fair&Smart offers premium solutions to companies of all sectors for consent management and rights requests processing.