Does Amazon Go + GDPR = Amazon No-Go?
Yesterday, my colleague and commerce guru Jill Finger Gibson did a great job explaining Amazon Go, the retail behemoth’s experiment with what might be called “1-Step” grocery shopping: Walk into the store, grab what you want, and walk out. Amazon’s surveillance technologies (cameras, microphones, device identifiers, facial recognition, etc.) will (supposedly) take care of accurately understanding what you picked up, and charge your Amazon account the appropriate amount. (There are reportedly even scales built into the shelves, in order to prevent you from gulping down a half bottle of Yoo-Hoo and putting it back.)
Jill stressed that Amazon Go is still an experiment. The dire implications she foresees for CPG companies and merchandising careers may never come to pass. Moreover, if Amazon Go does get going, it will probably be sometime before it reaches Europe. If and when it does, however, Amazon Go is going to run smack into the EU’s General Data Protection Regulation (GDPR). (For a quick introduction to the GDPR, grab our free Executive FAQ.)
A GDPR nightmare?
On one of the privacy and data protection forums I frequent, it’s been suggested that Amazon Go would be “a GDPR nightmare.” With ubiquitous surveillance, data collection, and biometrics (including, perhaps, skin tone recognition!), Go certainly will pose a GDPR compliance challenge. As a thought experiment, let’s look at the legal grounds Amazon might appeal to under the GDPR and to what extent they could justify the data collection and processing. (Henceforth referred to simply as processing.) Go aside, it’s also a great way to dig into some of the key provisions of the GDPR. By the way, I’m not a lawyer, and this is a thought experiment, so feel free to object if you think I’ve Amazon Gone astray.
First, it seems safe to assume that Amazon has two fairly distinct goals for the data processing. One is to enable the store to function — that is, simply to make sure that each shopper is charged the right amount for what they take. Call this the “transactional” processing purpose. The second is, in fine Amazon tradition, to amass and study the data for the purpose of, as they say, “optimizing the experience.” (Aka, helping Amazon sell more stuff.) Call this the “data mining” purpose.
Stake out your legal ground
The GDPR requires that every instance of data processing must appeal to one of six legal grounds. Article 6(1) of the regulation spells out the six grounds (which are articulated in subsections 6(1)(a) through 6(1)(f). Three of these are, I think, irrelevant: compliance with a legal obligation (c); protecting the vital interest of the data subject (d); and processing carried out in the public interest (e). This leaves: consent (a); legitimate interest (f); and processing necessary for the performance of a contract (b). Let’s start with the latter.
Amazon Go enables a shopper to take some good(s) proffered by Amazon in exchange for the shopper’s money. This is a normal commercial transaction, and it fulfills the two fundamental conditions of a contract — the parties are in agreement, and something of value has been exchanged. In a normal, employee-friendly, store, these conditions are literally acted out in your interactions with the cashier: You give him some good(s), he states a price, you signal agreement by paying. In an Amazon Go store, all of the fancy technologies basically exist simply in order to sustain this contractural exchange in the absence of human employees. All of which is to say that, in my view, Amazon might reasonably claim that the data collection and processing is necessary to create and enable a contract between the shopper and Amazon.
But — and it’s a very big but — even if valid, this would justify only what I called the transactional purpose. Amazon could hold the collected data for a reasonable period of time in order to verify the contract — for example, if you dispute the billing or you want to return an unacceptable item. But any further data mining — and you know that this is where the real value is produced for Amazon — is clearly not required for the contract and so could not legally be carried out using this legal ground.
Call it Amazon Go-Not-So-Far
What about the legal ground of consent? Surely, if you sign up for the service, Amazon can require you to agree to terms and conditions that effectively surrender your data and allow them to do with it as they please, right? (Just as they do today, when you use Amazon.com.) Well, not so fast. (In the interest of time, I’ll give the quick answer about consent and legitimate interest, both of which we’ll be publishing more about soon. Contact me in the meantime if you want to discuss.)
First, the GDPR requires that every consent request must state the precise purpose for which the data will be processed (as well as by whom it will be processed, how long it will be stored, and numerous other details). If a firm (the so-called data controller) intends to use data for more than one purpose, each of these must be stated. Very simplistically, Amazon might say: We propose to collect the following types of personal data in order to (a) enable the transaction in the store and (b) optimize the service (i.e. via data mining). However the GDPR requires that consent must be “granular.” That is, Amazon Go users must have the option of agreeing to (a) while refusing (b). Again, Amazon’s data mining goals are thwarted, or at least blunted.
At this point, some of you may be getting rather irritated. (Especially if you’re a devotee of the works of a certain author whose first name is an odd variant of Anne.)
What do these EU bureaucrats think they’re doing, anyway? It’s Amazon’s damn service, after all, and if you want to use it, you’ll play by their rules. Take it or leave it.
Actually, no. The GDPR has this interesting provision (here from Recital 43, my emphasis): Consent is not valid (i.e., cannot be used as a legal ground) if “the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”
My consent to data mining is not necessary for the provision of the Amazon Go service, therefore Amazon cannot deny me access to the service if I refuse to provide consent for data mining. (And yes, I think this also means that when the GDPR comes into force in May 2018, any European resident will be able to opt out of the collection of personal data on services like Google search, Gmail, Facebook, and Amazon.com, except where it is specifically necessary for the service to function.)
Finally, legitimate interests. Well, it’s complicated. But suffice to say that the GDPR requires a data controller to very carefully balance their own legitimate interests (i.e., conducting a profitable business) with the fundamental rights of the individual. In this case, I believe that, once again, processing data for the transactional purposes at Amazon Go would be considered a legitimate interest, but that subsequent data mining would fail this balance test.
And to answer the rhetorical question above: The EU bureaucrats responsible for the GDPR think that what they’re doing is carrying out their obligation to enforce the EU Charter of Fundamental Rights, which includes the right to “respect for private life and the right to the protection of personal data.”