One of the impacts of the restrictions Covid-19 has brought to our lives is that Christmas seems to be coming a little earlier this year. All around my neighbourhood otherwise sensible people have been putting up their Christmas decorations and the festive cheer marketing messages are starting to appear in my inbox. It’s only a matter of time now before the inevitable “Santa Claus and Data” themed blog posts start popping up.

Santa Data Management Post? Bah! Humbug!

Yes, Santa is known for making lists and conducting behavioural analysis. Why yes, he is possibly located outside the EU/EEA, raising issues of cross-border data transfer post-Schrems2. Indeed he does engage the services of sub-contractors (elves, shopping mall Santas, and let’s not forget Krampus), suggesting he should have data processor agreements in place. You’re right, we do need to think about his lawful basis for processing (it’s probably contract as there is an exchange of consideration and penalties). The list is checked twice, suggesting Santa has data quality problems and issues with the accuracy principle under GDPR. And don’t get me started on the fact that “Santa Claus Is Coming To Town” is not a fully compliant fair processing notice.

Have I missed anything in all of that? Just in case I did, here’s the Santa post I wrote in 2014 (yes dear reader. I too was a sinner).

Every year someone decides that this is a new and interesting marketing hook for their data-related business. Every year it I find myself seeing Scrooge’s point a little more.

Bad Data Santa

I thought that, rather than do the twee guff post about Santa and data, I’d take this opportunity to share some information with people about things to watch out for this year when we are all going to be doing a lot more shopping online either for delivery or through click-and-collect. These pointers are also important for companies that are setting up to sell online who might have historically been a “bricks and mortar” retailer and this year, of necessity are into “bricks and clicks”

After all, Santa isn’t the only one trying to make lists and check them twice at this time of year. So it is important to pay attention to who you share your data with at this time of year.

Order from Reputable Retailers or stores you recognise

Anyone can set up an online store and spin up a website these days. It’s important to do some due diligence and check that you are buying from a recognised, reputable retailer. This year, there will likely be a lot of smaller businesses online for the first time or ramping up an existing online sales capacity. Some things you should watch out for when buying (and which you should consider when selling:

  1. Does the site tell you where this store ACTUALLY IS and are there other ways to contact them (phone, email etc.)?
  2. Is the site secure (https:, the little padlock icon in your browser)?
  3. Does their data protection notice make sense and is it something you can understand (this shows they have thought about how they are handling your data and how to communicate to you. It should also give you information about who the retailer is and how to contact them)?
  4. If they are emailing you is it coming from a proper domain name (@nameofretailer.com) or a free gmail account?
  5. Are they using secure payment processing methods (e.g. PayPal or Stripe)?

If your retailer is ONLY selling via a Facebook page and there is no other information for them, I’d tread cautiously.

Santa likes Cookies, but everyone should be able to say no

It’s worth checking that you can actually refuse cookies from the site when you visit it. That shows that the retailer has actually paid attention to their legal obligations. This is a bit of ‘trust signal’. If they don’t have a cookies notice and you can’t opt-out of cookies, that is a warning sign in my book. It suggests that other things might not be as they should be behind the scenes. Understanding and implementing proper cookies notifications and controls is NOT HARD. Websites need to:

  1. Obtain consent for any cookies that are not strictly necessary for the operation of the site (for example to manage your online shopping basket)
  2. Provide information on what cookies are used by the site
  3. Allow you reject ALL non-essential cookies easily.

Can we add you to our (mailing) list?

It’s worth remembering that just because you buy something from a retailer it doesn’t mean you can be automatically added to their marketing mailing lists. SI336/2011 (the ePrivacy Regulations) does allow for businesses to send you electronic mail for the purposes of direct marketing if have bought something from them. But this is subject to some very specific constraints:

  1. You MUST have provided people with the option to opt-OUT of receiving any direct marketing at the point of sale. No option to opt-out, no valid basis for electronic marketing
  2. The products and services being sold must be the organisations’ own. No cross promoting another business or selling their products to your customers UNLESS THEY HAVE AGREED.
  3. A sale MUST have taken place. The legislation specifically states “in the course of a sale”. No sale (for example an abandoned cart), no basis for electronic marketing.

If you are a retailer digging out your old marketing lists, you need to check your data. You need to make sure you exclude anyone who you haven’t communicated with in the previous twelve months. Then check the lists again to make sure that you either have a valid opt-in for direct marketing (specific, freely given, informed, unambiguous) or a basis for marketing to people who have already bought from you.

The Gift of Data Quality (or the Data Quality of Gifts)

Another thing to consider is the information that is presented to you about gifts you are buying. Being sure you are getting what you think you are getting is an important aspect of online commerce. For a retailer, making it as easy as possible for people to find things in their online store is also important. That is a feature and function of the data and metadata you have about your products and services. Things like stock levels, sizes, pricing, colours etc. become very important in a period where people might not have time (or the ability) to return items or exchange them.

Less than 3% of organisations have data that meets basic data quality standards. A little investment in your metadata (classification and categorisation of content) and your master data (management of data about things that are important) can go a long way to improving the customer experience in your online store. Imagine if you had a physical store where everything was lumped in together with no structure to make things “findable”.

Data Ethics at Christmas

Finally, it is worth considering the ethics of data at Christmas. I’d encourage EVERYONE to try and buy from a local retailer. Even if that retailer has ventured into online for the first time this year. Amazon and other big retailers have dominated the on-line space for many years. But there are ethical issues with how they gather and use data both about the people who buy things from them and the things that they are buying. This has hurt the high-street in previous years. This year we need, more than ever, to consider where we put our data and our money. In this way, we can support small local businesses.

Consider the trade off of giving your business to a small local retailer doing click-and-collect due to Covid. As long as they have addressed the basics of getting their online presence compliant with data protection and eprivacy rules, and they have appropriate security safeguards in place on their site, the value to our communities of buying there is greater than any saving that might arise buying tat from the Great Warehouse in the Sky (the GWS).

But the small retailer needs to consider how they are using tools provided by the GWS. Personally, I avoid sites with Facebook like or share buttons because of how Facebook uses data. Those ‘joint controller’ relationships can impact trust.

If you REALLY want to find out about Data Ethics at Christmas, I can recommend a good book for your Christmas Stocking.

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.