Trading Bulletin: December 2023

Data Protection updates

ICO publishes guidance on data protection law helping retailers tackle shoplifting

The ICO published their advice on how data protection law can help retailers tackle shoplifting. The blogpost pinpoints what information can be shared and with whom - in the context of what is necessary and proportionate data processing for crime prevention.

See the ICO's post.

Data Privacy Risks & Artificial Intelligence

As retailers embrace generative artificial intelligence (AI) tools to meet the consumer needs of today, data privacy risks need to be considered. Amongst other things, retailers should consider creating privacy governance frameworks applicable to these technologies and embrace employee training to ensure they comply with their data protection obligations.

Penalties totalling £590,000 for unsolicited marketing calls to members of the public

In September, the ICO issued fines totalling £590,000 to five business that made 1.9 million cold calls to members of the public registered with the Telephone Preference Service (TPS) in the UK (and have opted out of such marketing calls). Calls can only be made to TPS members that have opted into marketing from the specific organisation.

Read about the fines.

ICO and 11 global data protection authorities issue a joint statement on data scraping

Data scraping is used to quickly pull large amounts of information from the web. The statement highlights that scraping from websites with publicly accessible data creates privacy risks and potential harms, including identity fraud. Retailers with any publicly accessible data on their websites will need to be aware of these risks and protect personal information from unlawful data scraping.

Read the ICO guidance.

Financial Services Updates

The FCA patrols BNPL

On 31 October, the FCA published a press release setting out the contract changes to buy-now pay-later (BNPL) products it had secured from both PayPal and QVC.

The FCA’s view was the following terms were potentially unfair or unclear for customers:

• In both contracts, the terms dealing with continuous payment authorities
• PayPal’s terms on what happens when a consumer cancels their purchase funded by a BNPL agreement.

Read about the changes.

Financial Conduct Authority rules on advertising cryptoassets

The FCA has taken over the regulation of ads for ‘qualifying cryptoassets’ – these are cryptoassets that are transferable and fungible, including cryptocurrencies and utility tokens. The rules will apply to all firms marketing qualifying cryptoassets to UK consumers, regardless of which country they are based in, or the technology used.

Read the new rules.

The FCA has published useful data underpinning its new Appointed Representative strategy

The FCA have been tightening their approach towards Appointed Representatives (AR). An AR is an entity that piggybacks off the FCA authorisation of an FCA regulated firm. The principal firm (i.e., the regulated firm) is responsible and liable to the FCA for the AR's regulated activities.

Many retailers use this regime to allow them to carry on FCA regulated activities such as consumer credit broking or assisting in the administration of a contract of insurance (see the full list of activities). While the AR regime has benefits, including encouraging effective competition and providing market access, there is evidence of potential harm to consumers, particularly because of poor principal oversight of AR activities.

The FCA has published some useful data showing an overview of how the regime has grown and the key gaps in due diligence and oversight that many principles have overlooked.

Read the data.

Health & safety/environmental updates

Bans on single use plastics from 1 October 2023

As detailed in our article, the ban on single-use plastic items in England came into force on 1 October 2023.

The ban applies to single-use plastic cutlery, balloon sticks, plastic plates, trays, and bowls. However, it does not include single-use plastic plates, trays and bowls which are being supplier to another business, or where the items are used as packaging (pre-filled or filled at the point of sale).

Fire safety guidance

The Home Office has published guidance to assist ‘persons’ with duties under fire safety legislation in England to comply with the legislation. Its purpose is to explain the duties in simple, nonlegal language. It also aims to assist in deciding the identity of the responsible persons at any premises.

Read the guidance.

Certain CBD products may be authorised in 2024

In response to a recommendation from the Advisory Council for the Misuse of Drugs the government has agreed to amend legislation to exempt certain CBD products from the Misuse of Drugs Act. This could see CBD products regulated under Food Law by the FSA, rather than under the Misuse of Drugs Act and the Home Office and potentially authorised in 2024.

Food allergen labelling: best practice updates

The FSA has now published its updated guidance on food allergen labelling. It covers updates on the application of precautionary allergen labelling and best practice guidance on No Gluten Containing Ingredient statements.

Read the guidance.

Should you have registered your building as an occupied higher-risk building?

If your building has at least two residential units and meets the 18-metre or 7-storey height threshold, it will be classed as an occupied higher-risk building.

Any occupied higher-risk buildings need to be registered with the new Building Safety Regulatory to avoid committing a criminal offence.

For more information see our article.  

Marketing updates

Are your marketing communications recognisable as such?

Several influencers have been caught out by the ASA for not ensuring that their marketing communications are recognisable to consumers as such, prompting the regulator to set out some useful guidance on "Why it pays to #ad". Are the influencers you collaborate with complying with the rules?

Read the ASA guidance.

CMA investigations over the last quarter

The last quarter has seen the CMA launch investigations into the housing market, 'quickie' legal services for will-writing, divorce proceedings and probate services and the veterinary sector. All of these aim at protecting consumers from illegitimate services and inflated pricing at a time where the cost-of-living crisis continues to bite.

Are your environmental claims compliant?

In October, the ASA ruled on a couple of environmental claims made by marketing agencies for an oil company and a car manufacturer. The takeaway from these rulings are that if you are making environmental claims, they should be clear, not seek to mislead consumers and certainly not exaggerate the overall carbon footprint of the company making the claims.

You can read more about this in our monthly Marketing Matters newsletter.

CMA launches investigation into Worcester Bosch

The CMA has launched an investigation into Worcester Bosch over concerns it may be misleading shoppers in its marketing of boilers as ‘hydrogen-blend ready’. If consumers are likely to think that the boilers are more environmentally friendly than they actually are, Worcester Bosch could end up in the CMA's bad books.

Read about the investigation.

Sales season – watch your marketing

The ASA have provided some essential guidance for the upcoming sales season which will be particularly useful for marketing teams gearing up for this busy time. Don't mislead, don't exaggerate and don't conceal material information that customers need to know are some of the main points the ASA is trying to hit home.

Read the ASA's guidance.

For our guidance on urgency and pricing claims, read our article.

Lawyer spotlight: Ashley Avery

Ashley Avery is a Partner in our Commercial team. Ashley is an expert in advising clients on complex data privacy issues and confidentiality issues, brand protection and exploitation and software development and licensing matters.

What were the key challenges facing the retail sector from a data perspective in the last quarter?

Facial recognition technology to prevent retail crime

This has been a really big issue for retailers. The key steps that retailers can take to try to avoid being subject to regulatory action by the ICO include:

• Reducing the personal data collected by focussing on repeat offenders or those committing significant offences.

• Having an appointed data protection officer.

• Protecting vulnerable individuals by ensuring they do not become a 'subject of interest'.

It may be helpful to note that the ICO has recently cleared the live facial recognition system provided by Facewatch as being legally compliant.

CCTV to prevent retail crime

Over the last few months, the Policing Minister and others have suggested that retailers should make greater use of CCTV in the prevention of crime. Key data privacy considerations that retailers have had to consider when using CCTVs for this reason include:

• How long can images be stored.

• Data protection and information security requirements to bear in mind when using live CCTV recording.

Going forwards, collecting, and using personal information must be balanced against the privacy rights of the individual (as with facial recognition technology), and retailers should take precautionary measures to ensure CCTV use is effective in relation to meeting their legitimate interests, and that there is no less intrusive alternative.

Using customer databases to market products

The ICO has recently published updated guidance for businesses using 'refer-a-friend' marketing schemes. This is a method of direct marketing where businesses request existing customers (referrers) to pass along marketing messages to their family and friends (referees) in exchange for a reward. This can better protect customer data, whilst allowing businesses to get access to a new customer database at relatively low cost.

Read more

What challenges will the retail sector face from a data perspective in the next quarter?

Data Protection and Digital Information Bill replaced with a new Data Protection and Digital Information (No. 2) Bill

Retailers will need to review their privacy and data policies in light of these new laws once they are enacted. A greater amount of personal data processing exemptions may also present opportunities to reduce costly compliance fees, and legal advice is recommended if changes are implemented.

Retail & AI

Key data privacy risks that retailers should consider include:

Ensuring AI model's decision-making processes do not discriminate against individuals so as to be caught by the Equality Act 2010.

Updating effective risk management approaches and improving employee training.