European Privacy Rules


The issue

The General Data Protection Regulation, which took effect in May 2018, is a new European Union privacy law that sets out changes to almost every aspect of consumer data processing. Retailers with stores, websites, mobile apps and other digital platforms serving consumers face new compliance standards, increased liability for violations and more stringent enforcement. While GDPR is aimed primarily at EU-based businesses, it also applies to companies from any country in the world that have stores in Europe, target sales to Europeans over the internet, mobile apps and other remote commerce channels, or simply track European customers online. It therefore has significant implications for many U.S. retailers.

Why it matters to retailers

GDPR sets extensive restrictions on how businesses can use, store and process consumer data. In many instances, it takes an opt-in rather than opt-out approach to obtaining consumers’ consent and gives consumers the right to have their data erased from a company’s records, among other provisions. Although interpretations of the new law are still new or non-existent, the restrictions may threaten a wide variety of fundamental retail business operations ranging from marketing to keeping records of transactions in order to provide a refund without a receipt. Companies face high compliance costs and extensive administrative burdens, and those that violate the rules face penalties as high as 4 percent of worldwide revenues. GDPR is the first privacy law in the world with such broad sweep, and “getting it right” is extremely important as other countries look to it as a model.

NRF advocates for fair implementation of GDPR

NRF worked for more than two years with Brussels-based EuroCommerce to develop a 14-page paper titled “Retail Approach to Implementing Critical Elements of the GDPR” that addresses how retailers can meet the regulation’s requirements while still providing customers with the “personalization, omnichannel experiences and seamless retail operations that they expect.”

The paper, which was released just before GDPR took effect, said there are “many questions” about how GDPR applies to retail operations and that retailers need to find appropriate methods for compliance that “further their customer relationships and do not frustrate them.”

Among other issues, the paper said retailers should not be required to erase data required to prevent fraud or assist with returns, saying customers could be left unable to obtain a refund for an unwanted product or exchange an item that doesn’t fit, for example. Erasing data could also violate laws requiring certain data to be retained. The paper said consent obtained before GDPR took effect should still be valid and not have to be sought again, and that retailers should not be required to repeatedly ask for consent at each step of a customer interaction, saying that would be “very disruptive to the customer’s shopping experience.” The paper said data breach provisions of GDPR should apply to all entities that handle consumer data, such as credit card companies, not just retailers. It also said restrictions on automated data processing should not be interpreted in a way that interferes with the ability to offer customized online ads.

The paper was shared with data protection authorities in the 28 EU member nations to make them aware of retailers’ efforts to ensure GDPR compliance while meeting consumers’ expectations. NRF and EuroCommerce are continuing to monitor GDPR issues closely and working with both retailers and EU officials to address compliance issues.

In October 2018, NRF led a delegation of U.S. retailers to Brussels for the third year in a row, with the trip coinciding with the annual International Conference of Data Protection and Privacy Commissioners. During that trip, NRF met with Commissioner Vera Jourova, the European Union’s head of consumer issues, to discuss concerns about GDPR. NRF explained that retailers’ use of consumer data is very different from that of other industries because retailers use data to better serve their customers, not to simply monetize the data itself. The message was well received, and NRF was invited to speak at a one-year review of GDPR that Jourova will host this summer, giving retailers a seat the table on the issue for the first time.

GDPR is not the only European privacy issue affecting U.S. retailers. NRF strongly supports the EU-U.S. Privacy Shield, an agreement that is critical to the EU-U.S. transfer of consumer data. Prior to the plan’s annual review last year, NRF and EuroCommerce hosted a “fireside chat” between Commerce Department Deputy Assistant Secretary James Sullivan and Bruno Gencarelli, the EU’s head of international data, during the Brussels conference. The session was one of the officially recognized events of the privacy conference and drew several dozen EU and U.S. officials to hear the issues involved.

NRF has led U.S. retailers’ efforts on European privacy regulations since 2016, taking industry delegations to Brussels for meetings with both U.S. and EU officials each year, launching a Global Privacy Task Force, holding a Global Privacy Meeting in New York, hosting a webinar on compliance and sending executives to the annual European Data Protection Days conference in Berlin in 2018.