Picture this: you are walking home from work one evening after a tiring day. Out of the corner of your eye, you notice a digital display in a shop window. It greets you by name and flashes up an offer for your favorite chocolate bar. You enter the shop and the chocolate bar is waiting, ready to go. You pick it up and leave the shop; no further action on your part needed.

This may sound like science fiction, but this technology exists today. Its use in this way is just one example of ambient commerce, whereby retailers surround consumers with technology for an immersive and sensory shopping experience, including through the deployment of artificial intelligence and a virtual augmented reality customer journies. As retailers continue to look at how they can increase footfall and bring consumers back in-store, the possibilities offered by embracing these technologies are undoubtedly attractive. Ambient commerce will rely on combining a range of digital, transformative technologies such as location tracking, facial recognition, sentiment analysis, collection and analysis of consumers’ data footprints (i.e. retail habits and buying history), with apps on consumers’ phones sharing data between players and quicker communication thanks to 5G.

As may be expected, ambient commerce gives rise to a number of legal issues as retailers engaging in this evolution of the high street will need to track the behaviors of their customers. This will necessarily entail collecting and processing large amounts of personal and in some cases, sensitive, data such as facial profiles, fingerprints, location data, device IDs etc. Retailers within the European Economic Area will need to comply with the General Data Protection Regulation (GDPR), which means ensuring there is a legal basis for the processing, providing appropriate security measures for the data, and crucially, making sure shoppers understand what personal data is being collected, how it is being used and shared. There will of course be challenges in meeting the latter requirement in particular, without detracting from the seamless shopping experience.

Similarly, as bigger pools of data are amassed, the risk from any breach or loss of data rises. Many will be aware of the much-publicized fines which can be levied by EU data protection regulators (up to the greater of EUR20 million or 4% of the group’s global annual turnover), but there is also a very real risk of claims by affected data subjects, and significant adverse publicity for a retailer that falls foul of GDPR requirements in a high-profile breach.

Closely linked to data protection law requirements is the issue of cybersecurity. Operators will need to protect their systems, data and networks, in an Internet of Things environment, because of the number of physical of devices which must be protected in a non-traditionally secure environment. Secondly, there will be a greater risk of cyberfraud. By offering new purchasing channels, new opportunities are created which fraudsters will look to exploit.

Lastly, there are likely to be considerations around contract formation in particular, how, and at which point in the process, is a contract formed when shopping in an ambient commerce environment. Operators will need to think about the legalities around formation of a contract and ensure that these are adequately fulfilled. 

Return to Law à la Mode: Issue 29

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.