Consumer privacy in retail

Consumer privacy in retail:
The next regulatory and competitive frontier

Consumer privacy: The new regulatory frontierCopyright © 2019 Deloitte Development LLC. All rights reserved. 2
Retail is at an inflection
point with consumer privacy.
The industry, leaders
included, should benefit by
striving for a new standard

Consumers are
becoming more
privacy aware
Some consumers are
concerned about data privacy
and want more control over
data as they are aware of more
data breaches
Retailers should
become data-wise
and privacy conscious
Some retailers struggle to
develop privacy policies that
align to business strategies,
keep up with data
proliferation, and deal
with system complexity
States are
enacting new
privacy regulations
New regulations are
coming as nearly half of
US states are developing
data policy legislation
Consumers are increasingly aware of threats to their privacy and personal data;
meanwhile, several states are introducing and enacting new privacy legislation

Individuals are attempting to manage significant “digital exhaust” that comes from all
aspects of their lives
Mostly user
controlled
Minimally user
controlled
Publicly-
available
information
Information
shared
voluntarily
Career
Government
issued IDs
Politics
Information
from
data
breaches
Online
and social
media
activity
Family
details
Basic
internet
profile
Login
credential
Social
security
number
Geo
location
data
Credit
score/
history
General
purchase
history
Device
ownership
Photos
Friends/
colleagues
Education
history
Personal
identifiers
Healthcare
/insurance
identifiers
Financial
history
User
account
details
Medical
prescriptions
Cross-
site
history
System
info
Shopping
preferences
Payment
processing
data
Legal
records
Customer
service logs
Third-
party
tracking
Media
preferences
Home
address
Telephone
call records
Demo-
graphic
features

3 states have
enacted dedicated privacy
laws covering
42.5M
Americans (13%)
19 other states are
debating new privacy laws
potentially covering
134M
Americans (41%)
The remaining states
have traditional breach
notification and
security laws
New privacy regulation coverage by
U.S. population (327 million)
FL
NM
DE
MD
TX
OK
KS
NE
SD
NDMT
WY
CO
UT
ID
AZ
NV
WA
CA
OR
KY
ME
NY
PA
MI
VT
NH
MA
RI
CT
VA
WV
OH
INIL
NC
TN
SC
ALMS
AR
LA
MO
IA
MN
WI
NJ
GA
DC
AK
HI
Enacted law Bill introduced and/or passed
by House or Senate (includes
“In Committee”)
No dedicated consumer or
data privacy action currently
Dedicated privacy legislation by state7
Source:
7. Deloitte analysis of legislations related to privacy passed or enacted in 50 US states.
New privacy regulations, either enacted or under consideration, will potentially cover
54% of American consumers with new protections and expose retailers to penalties

Consumer businesses may have historically had lower compliance costs than other
major industries; however, privacy regulations will likely change that dynamic
Financial
services
Healthcare Retail
$30.9
million
$19.0
million
$11.5
million
Average compliance cost
by industry8
Regulatory compliance requirements
most difficult to achieve9
90%
55%
50%
39%
33%
22%
18%
17%
11%
General Data Protection
Regulation
Payment Card Industry Data
Security Standard
US state laws
HIPAA/HiTech
Sarbanes-Oxley
Country-level regulations
Federal cybersecurity directives
New York State Department of
Financial Services regulations
Gramm-Leach-Bliley Act (GLBA)
Source: 8 & 9. Ponemon Institute LLC – “The true cost of compliance with data protection regulations” (December 2017).
Notes: HIPPA/HiTech refers to Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act.
Consumer privacy laws,
which are directly applicable
to retail, are complex and
challenging to implement
10

Retailers are in a challenging position: They are not highly trusted AND consumers
hold them accountable to ensure privacy
Most to least trusted businesses10 Accountability for ensuring consumer privacy
in the retail industry11
(% of shoppers)
Retailers
63%
Federal
government
41%
Technology
partners
27%
Consumers
27% State government
23% Financial partners
20%
Source: 10 & 11. Deloitte – Data Privacy Survey for US Consumers (N=2,000)
Rank Sector
% of
respondents
1 Banks 63%
2 Hospitals 37%
3 Tax prep & legal services 37%
4 Credit reporting agencies 33%
5 Government 28%
6 Insurance 24%
7 Schools and universities 15%
8 Technology companies 11%
9 Nonprofits 10%
10 Airlines 8%
11 Restaurants 7%
12 Retailers 5%
13 Automotive 4%
14 Hotels 3%
15 Manufacturers 3%
16 Social media 3%
17 Print or broadcast media 2%

The disconnect between consumer perception and how retailers use the
data fuels the trust deficit
Source: Deloitte –Retail executive survey on US Consumer Data Privacy (N=201); Deloitte – Data Privacy Survey for US Consumers (N=2,000)
believe data is being predominately
used for targeted marketing, sharing
with third parties or outright sold to
third parties
have an opportunity to engage
consumers on how data is being
used to improve in-store and online
experiences, product selection, and
efficiency of retail operations
27%28%
36%
41%
55%
68%
53%52%
49%
46%
27%
45%
Increase
efficiency of
retail operations
Improve product
selection
Improve in-
store consumer
services or
experiences
Improve online
consumer
services or
experiences
Share data with
third-parties
Target
marketing
Consumers Executives
Data usage: Consumer and retailer perceptions
Consumers
Retailers

Source: Deloitte Retail executive survey on US Consumer Data Privacy (N=201)
Based on Deloitte’s survey of retail executives, there are four major areas of focus
when comparing and contrasting retailers’ privacy culture and privacy capabilities
Deloitte surveyed 201 retail executives on data privacy to understand how
retailers differentiate across a series of privacy tenets
Data
management
• Enterprise views on what
data needs to address and
who needs to access it
• Approach to determining
how data needs to be
managed and maintained
Security and
infrastructure
• Approach to manage
security for consumer and
employee data
• Focus on the infrastructure
and cyber needs to protect
data and manage third-
party access or use of data
Strategic
alignment
• Corporate governance
structure and integration
between privacy and
business strategies
• Internal environment and
culture supporting privacy,
empowering employees,
and driving data ethics
Consumer-
centricity
• Measures to elevate the
consumer to managing their
data and preferences
• Policies developed to engage
consumers and provide
visibility into corporate
actions, data collected, and
use of data

Overall, performance of retailers varies notably across the four tenets and only a third
of them (Leaders) manage to build capabilities and also nurture a culture of privacyPrivacycapabilities
Developed a privacy culture
Leaders’ privacy policy is well integrated into corporate
strategy and privacy capabilities are optimized with focus
on consumer-centricity
Adopters (both Testers and Aspirers) are increasing their
focus on privacy, however, have not yet fully embedded it
across the organization
Laggards have not elevated privacy and, as a result, it has
not gained strategic or operational traction
Methodology: Using retailer executive survey responses, we conducted cluster analysis to identify the key attributes
differentiating retailers and were able to identify three distinct segments: ‘Leaders’, ‘Adopters’, and ‘Laggards.’ These groups
exhibit statistically significant differences in their approach and performance around privacy related activities

There is a significant difference in how these clusters approach and manage
privacy within their organizations
Implement privacy through contracts
and notices, with minimum
processes, or even without full
documentation
Drive continuous improvement
across key privacy areas, looking to
optimize, and customizes approaches.
Privacy is imbedded within the functions,
often seen as a compliance or legal
activity
Privacy involves the C-suite with
direction set at the top levels
Internal operations and product
selection
Consumer-focused services and
experiences (stores and digital)
Security measures in place to protect
the data
Consumer rights and nature of data
collected
Laggards Leaders
Across key aspects of privacy performance, ‘Leaders’ are over 10x more likely to have optimized
capabilities and culture than ‘Laggards’
Approach
Organization
structure
Top data uses
Consumer
communication

Purpose of consumer data collection
optimally defined 7.6x
Usage of consumer data collected
optimally defined 39.0x
Optimized privacy governance structure 5.6x
Optimal integration of privacy with
corporate or business unit strategy
planning
10.5x
Data retrieval made easy to get a
holistic view of our customer 11.2x
Data structured to limit
access on a ‘need-only’ basis 3.5x
Optimized data collection
based on ‘data minimization’ 19.0x
Optimized information
security program to prevent violations 11.3x
5%
0%
7%
4%
5%
22%
2%
4%
Leaders consistently outperform Laggards across crucial privacy areas; however, the
industry should advance the standard
18%
15%
18%
20%
30%
38%
18%
21%
38%
39%
39%
42%
56%
77%
38%
45%
Leaders
trust-focused and
consumer-centric
Adopters
testers and
aspirers
Laggards
process-focused
and tactical
Leaders vs
Laggards
Strategic
alignment
Consumer-
centricity
Data
management
Security and
infrastructure

With increased scrutiny on consumer and data privacy, there is a call to action to
define a new standard that works for consumers and retailers
24
03
02
01Lead with consumer-centricity and
consumer experience
Treat data as an asset, someone
should own and champion it
Embrace privacy by design03
02
01 Work with leading trade associations
to set the privacy standard
Be transparent with consumers and
regulators on source and uses of data
Actively engage with state and
federal lawmakers
Internal External

Retailers who focus on
consumer privacy as a strategic
growth driver are poised to
create more meaningful data,
enhance consumer
engagement, and reduce risk
exposure all while staying
ahead of the evolution of
privacy in consumer business

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member
firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as
“Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their
related entities that operate using the “Deloitte” name in the United States, and their respective affiliates. Certain services may not be available to
attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of
member firms.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may
affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who
relies on this publication.
Copyright © 2019 Deloitte Development LLC. All rights reserved.

Consumer privacy in retail

Consumer privacy in retail

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Consumer privacy in retail

Similar to Consumer privacy in retail(20)

More from Deloitte United States

More from Deloitte United States(20)

Recently uploaded

Recently uploaded(6)

Consumer privacy in retail