Given the upcoming Protection of Personal Information (Popi) Act, retailers have to be prepared to deal with customers’ questions about the type and amount of personal information that they are collecting, why they are collecting it and how they intend to protect it against abuse.
Popi provides a wide definition of personal information, which could include diverse forms of data — addresses, ID numbers, cellphone numbers, biometric information and even personal views on certain issues.
It also differentiates between “normal” personal information, special personal information (such as information about health) and children’s personal information, all of which have different rules that will apply to the processing of the personal information.
There isn’t a defined list of information that retailers are prohibited from collecting, but as a rule any business should collect only what is necessary to achieve a specific purpose.
A good example of this is the use of an ID to verify a customer’s identity. Retailers have to justify why they should be entitled to collect the information. For example, do they really need a copy of a customer’s ID or is it sufficient for that customer to merely display the document? If they don’t need a copy, why keep it? And even if they can justify why they need a copy, they should use if only for the purpose they originally collected it. Should they wish to use the information for any other purpose they will need to notify the customer.
Consent as such does not always have to be given in written format, as it won’t always be practical to get it. If a supermarket has a lucky draw box on the counter where customers place their till slips with their phone numbers to enter a competition, it won’t want them to have to fill in lengthy permission forms. But they will only be able to use the information they receive for entry into the draw. Any other purpose will need to be specified explicitly.
Similarly, if a customer has signed up for a loyalty programme, the retailer is entitled to track their purchases and use this to promote products based on buying behaviour, but only if it received consent to do so when the customer signed up.
Of course, not all retailers’ communication occurs in-store. Many frequently communicate with customers via social media platforms like Facebook. Social media has meant that many customers make information publicly available. This does not mean that Popi in its entirety won’t apply.
If a company wishes to collect data via its Facebook page, it will still be responsible for securing and protecting that the information and it will still have to limit its use, disclosure and retention in line with the purpose for which it was collected.
Naturally, security is a large concern for retailers, many of which frequently receive and retain sensitive hard copy information, such as credit card slips. Retailers will have to retrain their employees in preparation for Popi. There isn’t an exact list of specific measures to be implemented, but retailers will need to review their processes and educate their staff about the importance of safeguarding personal information.
Popi also has implications for future human resources activities. These will include revising current policies and employee contracts. Although this may be a costly exercise, most retailers regard Popi as positive. Most understand that the misuse of customer information will have serious reputational consequences. It is necessary to create awareness among staff members about the use of customers’ personal information.
Responsible use is key. Most retailers are eager to safeguard their customers’ information and upgrade their security measures and policies accordingly. And Popi has forced retailers to reconsider and improve existing processes.
- Jana van Zyl is a partner at Dommisse Attorneys