The rise of Retail Media along with the competitive advantage afforded by proper data protection compliance
As we finally stopped using “big data”, getting tired of “AI” and “generative AI”, it is undeniable that new trend in marketing is Retail Media, but it is far from a trend as in our daily professional lives we see an increase of commercial deals, projects and development of new technologies dedicated to this relatively new field.
Let’s start with a definition, provided by IAB Europe – the European-level association for the digital marketing and advertising ecosystem – in the document “IAB Europe 101 Guide to Retail Media” [1]:
“Retail Media refers to the digital advertising space, retail data assets and in-store opportunities a retailer or marketplace owns, which is then made available to brands for the execution of advertising campaigns. Campaign goals include (but are not limited to) brand awareness, driving sales and new product discovery. Retail Media includes an increasing range of digital opportunities which can be segmented into off-site, on-site and in-store environments. Retail Media also includes the targeting, optimisation and measurement elements of digital campaigns.”.
If at the begging of its rise it was considered another channel, Retail Media has become now a more complex ecosystem, but – and this is the most important aspect also from a legal and data protection perspective – it’s not autonomous as has been evolving around the concept of collaboration with more traditional advertising channels.
We have also to remember the period in time where we are operating. We are currently facing the advent of third-party cookie deprecation (sooner or later), the rising concerns over data protection compliance and the progressive abandon of data brokers: the Retailer is one of the only operators in possession of safe and effective advertising spaces, but more importantly qualified first-party personal data.
This diagram shows how complex Retail Media is and all the aspects that have to be taken in consideration approaching its compliance:
Just for the sake of clarification (especially for the not experts) within Retail Media are included all activities and advertising being sold on the retailer’s own properties, included digital ones: such as retailer’s websites and apps or online consumer shopping marketplaces.
What is “privacy-by-design” important to implement for Retail Media?
More often, the challenge is to adapt data protection structures that have been already structured in the past and that likely had their last massive update happened in 2018, with the arrive of Regulation (EU) 2016/679 (“GDPR”). Nevertheless, it is not an impossible task.
DPIA: the accountability key
Every situation is different, but before starting any new data processing activity it is important to map and to study it, in order to have clearly visible all the activities and goals and to understand if such processing requires a “Data protection impact assessment” under Article 35 of GDPR (“DPIA”).
A DPIA is a procedure that aims to describe a data processing activity to evaluate its necessity, proportionality, and associated risks, with the goal of implementing appropriate measures to address them; it can cover a single processing activity or multiple activities with similarities in terms of nature, scope, context, purpose, and risks. This last point is very relevant from the accountability perspective and for the ease and efficiency of business processes. In some cases, having a single DPIA for multiple marketing activities that converge into a general flow is not only legally more correct but also a significant advantage in terms of saving the company’s time and resources, thereby gaining efficiency.
When is a DPIA mandatory? A DPIA is mandatory whenever a data processing activity may pose a high risk to the rights and freedoms of individuals. In the context discussed, this might include situations involving evaluative or scoring processes, including profiling; large-scale processing of personal data; combining or comparing datasets from multiple sources for different purposes and/or by different data controllers without initial consent (e.g., with Big Data); innovative uses or application of new technological or organizational solutions (e.g., technologies that detect the location of the device, IoT devices, etc.).
When it comes to highly complex projects, such as those implemented in Retail Media, our advice is to consider that the DPIA can be a valuable tool for accountability, or at least using it as a “mapping analysis” (useful also for the records of processing activities), to conduct a thorough examination of the processing and use it as a roadmap to start with the mandatory compliance requirements.
Legal basis: the pillar which defines everything
Identifying the correct legal basis for processing data – under Article 6 of the GDPR – is the foundation of any processing activity, but it is often the most complex and challenging part of the compliance process.
In the context of Retail Media, there are multiple sources of personal data to consider, such as CRM data collected both online and in physical stores, data collected from navigation on digital properties, or data collected as part of special marketing initiatives (such as prize contests or lead generation activities). In short, there can be many and with varied purposes.
To manage this effectively, it is essential to map all data processing activities, with particular attention to the initial purpose and legal basis for data collection. If the Retailer intends to activate the data for another purpose, it must consider whether a different legal basis is required for the “secondary” processing. For instance, consider the customer data collected during a purchase and provided for the execution of the contract (Article 6 (1) b of the GDPR). If the Retailer then wishes to compare that data for analysis in its data clean room[2], the question arises as to whether the previously identified legal basis is sufficient for this additional activity. These are the analyses and questions that must be addressed before proceeding with such projects.
In conclusion, considering the latest reports from regulatory and judicial authorities on the matter[3], it is practically impossible to use the legal basis of contract for any advertising activity – but one should not be so definitive on this point. Let’s consider services that involve the delivery of marketing communications, such as promotional coupons. Especially in the retail sector, these services were historically paper based, but now they are mostly digital. A company acting as an intermediary for coupons (on behalf of various advertisers) and users, which specifically subscribe to its website to receive them, could reasonably rely on the legal basis of contract (Article 6 (1) b of the GDPR).
Soft spam: the valuable exception often overlooked
It is well established that it is not possible to send promotional communications without consent, even when personal data is obtained from public registers, lists, websites, etc..
Regarding this, it is important to remember that Italian Retailers have the possibility to use the only exception to the consent rule, known as “soft spam,” which is regulated under the Italian Legislative Decree 196/2003 (“Privacy Code”) and has been allowed in the past by the Italian Supervisory Authority (“Garante”) under the following conditions:
- the electronic mail is used for the transmission of marketing messages;
- the email address has been provided by the user in the context of the sale of a product or service;
- the message is sent for the direct sale of products and/or services:
- provided by the data controller and
- similar to the products and/or services subject of the sale
- the data subject, adequately informed, does not object to this use for marketing purposes initially or on the occasion of subsequent promotional communications (the data subject must always be able to easily object).
The soft spam is a dated exception of the Privacy Code, firstly analyzed by the Garante in the “Guidelines on Marketing and against Spam – 4 July 2013”[4], but it is still allowed today (even after the GDPR entered into force), although it is often forgotten and not fully utilized by data controllers: another important aspect to remember when planning Retail Media strategies.
Cookies and other tracking tools: a “lex specialis world”
For every digital tracking activity, the Retailer, its media partners, and entities which intends to collaborate with online technologies must always remember that cookies and other tracking tools are still subject to the rules outlined in Article 5(3) of the Directive 2002/58/EC (“ePrivacy Directive”): storing and/or accessing information on a device is only allowed with consent as a lawful basis. The ePrivacy Directive is a “lex specialis”[5] to the GDPR, regulating the use of electronic communications services, including cookies and other tracking tools.
This is crucial even for measuring and verifying campaign activities: when an advertiser is delivering ads in another entity’s digital environment and at the same time is using tracking tools and collecting information, it is essential to ensure that the publisher displaying the ads is collecting consent, and even better if it is possible to gather evidence of such consent. Currently, the only tool that easily allows this is the Transparency & Consent Framework (“TCF”), developed by IAB Europe[6], the standardized method for various industry stakeholders like website publishers, ad tech vendors, and advertisers to ensure compliance with applicable data protection laws by providing transparency and user choice regarding data usage. For the obligation of Article 5(3) of the ePrivacy Directive (Store and/or access information on a device), TCF Policies[7] clarify that Purpose 1 can be used only with consent as a lawful basis.
As for the use of legitimate interest for digital advertising activities, it is fundamental to remember what is stated in the “Report of the work undertaken by the Cookie Banner Taskforce”[8] by the European Data Protection Board (“EDPB”) with the great clarification on the notion of “subsequent processing”, meaning the processing which takes place after storing or gaining access to information stored in the terminal equipment of a user in accordance with Article 5(3) of the ePrivacy Directive (for example, the placement or reading of cookies). The report of the EDPB’s taskforce confirmed that the applicable framework is the GDPR, including to consent, even if given at the same moment of the placement of cookies, as far as this consent constitutes the legal basis of the subsequent processing and, therefore, also including legitimate interest.
Let’s always remember, however, that legitimate interest is a residual legal basis – that is, one must always first verify that the other bases cannot be used – and that, in any case, it is rarely well regarded for marketing uses by the Supervisory Authority (particularly the Garante). In other words, it’s always appropriate to reflect in this sense when talking about simple data analysis within clean rooms, for statistical purposes for example, and not for data enrichment and activation activities.
Privacy policy: a living photography of the processing
The privacy policy stands among the foundational documents of data protection compliance, serving as the primary easily accessible obligation for both data subjects and authorities: essentially, a “business” card – used an introduction to the world.
In comparison to the standard obligations outlined in Articles 13 and 14 of the GDPR, there are no peculiarities to highlight for Retail Media activities, except for the requirement to ensure that every processing activity (along with its purpose) is disclosed in the privacy policy presented to the data subject at the time of the data collection. For instance, if a Retailer introduce a data comparison activity through its clean room, it must ensure that such processing is outlined in the privacy policy already provided to its clients.
Even more innovative activities – such as those DOOH’s tracking or in-store’s tracking via Beacons or Wi-Fi sensors – shall be disclosed to customers via a layered approach, for example through signage or billboard directing them to more comprehensive extended privacy policies (as commonly practiced in video surveillance).
[1] “IAB Europe’s 101 Guide to Retail Media”, published on September 6, 2023 and available at the following link.
[2] According to the “Data Clean Room Guidance and Recommended Practices” developed by the IAB Tech Lab Rearc Addressability Working Group, a “Data Clean Room” is “a secure collaboration environment which allows two or more participants to leverage data assets for specific, mutually agreed upon uses, while guaranteeing enforcement of strict data access limitations for e.g, not revealing or exposing the personal data of their customers to other parties. DCRs can be designed to serve an array of purposes and deploy different mechanisms, for e.g. performing a specific computation for determining matching of audience data between two parties.”. The document is available at the following link. The choice to use Data Clean Rooms is becoming increasingly common among brands and players in the digital advertising field, including Retail Media. There are various solutions offered by the market, and more and more operators are launching their own: proof that clean rooms are a new and established market trend is the fact that even big players such as Google have launched their solution. See, for example, Google’s announcement regarding the launch of its solution available here.
[3] The Irish Data Protection Commission (DPC) has confirmed that Meta cannot base the processing for behavioral advertising in the EU on the legal basis of “contract”. This decision follows a request from Norway’s Supervisory (Datatilsynet) to the EDPB for a final order on the matter. The EDPB published its urgent binding decision instructing the DPC to institute a European Economic Area-wide ban on Meta’s personal data processing toward behavioral advertising. The decision follows findings that users’ consent to process personal data was not valid for behavioral advertising in light of EU privacy laws. Meta had argued that it collected user consent to process personal data for delivery of Facebook and Instagram services, which include behavioral advertising. However, the EU authorities have held that the terms forced users to agree to behavioral advertising, and thus the consent did not cover such practices.
[4] “Guidelines on Marketing and against Spam – 4 July 2013”, doc. web n. 4304228, available here.
[5] “Lex specialis” is a Latin phrase that means “law governing a specific matter”.
[6] For all the necessary information on the TCF see the IAB Europe’s page “TCF Supporting Resources” available here.
[7] The text of the “IAB Europe Transparency & Consent Framework Policies” is available here.
[8] The “Report of the work undertaken by the Cookie Banner Taskforce” published on January 18, 2023 is available here.