Military personnel tracking their exercise regimen likely weren't expecting the fitness tracking app Strava, which could be used with devices like Fitbit, to show where they were serving in secret military bases. And Fitbit customers who bought the sleek activity trackers to monitor their heart rates or steps probably weren't pleased when the devices reportedly revealed their sex statistics.
In the era of the internet of things, brands want to know their customers as intimately as possible. While L.L. Bean pulled plans to implement IoT technology into coats and boots about a month after it teased it in 2018, Under Armour unveiled smart fabric shoes, which could indicate the next iteration of personal data gathering will likely be, at least in part, from smart fabric technologies.
But as companies develop smart fabrics and other wearable technologies, consumers are simultaneously awakening to the adverse outcomes of too much data collection. Specifically, biometric data, which gathers information based on a person's physical traits and identity.
Though retailers and brands might be tempted to collect as much data as possible in the name of marketing to their customers, cybersecurity, legal and healthcare experts warn that companies must be judicious about the biometric data they collect. They also must remain aware of emerging privacy regulations and become more transparent about their data collection. Failure to do so, multiple sources told Retail Dive, will not only damage brands' reputation, but also open them up to legal liabilities.
A January 2016 Transparency Market Research report predicts that smart textiles will be applied to sports and fitness, automotive, military and defense, health care, entertainment and other sectors, and will draw on smart fabric functionality such as UV protection, water and stain resistant, anti-bacterial and other applications. A May 2017 Allied Market Research report predicts that the sector will grow primarily in North American, European and Asian-Pacific markets.
The smart fabrics products and wearable devices developed for consumer use aren't required to comply with HIPAA regulations, but companies developing these technologies will need to pay attention to the current patchwork of U.S. state and international data breach regulations, Suzanne Widup, senior consultant for Verizon's RISK Team, told Retail Dive in an interview.
Aside from a PR backlash, failing to adhere to U.S. and international regulations could leave companies vulnerable to consumer lawsuits. A California Consumer Privacy Act amendment is making its way through the legislature, but it's worth paying attention to because of its provisions that allow consumers to sue, Widup said, adding that California's laws tend to set the standard for similar legislation.
The complications of data collection for retailers
Before companies even begin collecting data, they need to determine what consumer biometric data they actually need, multiple sources told Retail Dive. The less biometric data companies collect, the less data they'll need to secure, Widup said. Though companies may be incentivized to collect as much data about their customers as possible, they need to remember that the data belongs to users, not them, she added.
Companies should also work with regulatory or patient privacy experts when developing wearable and smart fabric technologies, because having an initial consultation isn't enough, according to Jacob Krive, clinical assistant professor of biomedical and health information sciences at the University of Illinois-Chicago. Working with experts along the way will give companies a sense of regulatory compliance requirements in terms of what logs they need to complete and what tasks they need to track, he said.
"Oftentimes, what regulations require goes against the general product or software development logic," Krive told Retail Dive in an interview.
Furthermore, in addition to appointing a chief information or cybersecurity officer, companies should appoint a chief privacy officer who is responsible for making sure that companies aren't violating users' privacy, Widup added.
Once companies begin collecting biometric data, they'll need to cover the basics, such as where their data is stored, how they are managing it, who has access to consumers' information and how unauthorized access of this data restricted, Dana Tamir, vice president of market strategy at Silverfort, told Retail Dive in an interview. When it comes to databases and file sharing, companies also need to assess who has access to consumer biometric data and think carefully about who actually needs that access, Tamir said.
Though consumer wearable or smart fabrics technologies don't always fall within HIPAA regulations, companies developing these technologies can apply similar concepts, such as asking consumers for express permission before sharing information and explaining to consumers what biometric data the company plans to share, Elizabeth Litten, partner and HIPAA and cybersecurity officer at Fox Rothchild, told Retail Dive.
But, should retailers ever share consumers' biometric data?
It depends. Retailers may already be sharing biometric data with other retailers or research firms, but Tamir said retailers shouldn't share consumers' personal data at all. However, if they are going to do so, companies need to anonymize data as much as possible so as to conceal their customers' identities, she adds. On the other hand, as companies increasingly share data among each other, Litten says it's possible for companies to reveal consumers' identities by tapping into larger data sets.
Keeping data safe
According to the 2018 Thales Data Threat Report's Retail Edition, 75% of retailer respondents said they experienced a data breach in the past, but only 26% of respondents said they implemented encryption protections.
With retailers, financial services firms and social media sites making headlines for their privacy and cybersecurity struggles, consumers have become warier of giving away their financial and other personal data.
Aside from causing regulatory headaches for companies, data breaches are quite costly, and they are pricier now than in the past. A 2018 IBM study found that the global cost of data breaches was $3.86 million, up 6.4% from the year prior. On average, each stolen sensitive record costs companies $148, IBM study found.
Telling consumers in plain language how the company plans to use and protect their data could ease their apprehension about sharing it, Krive said. As companies change the data they collect or how they use it, they should notify users via email or in-app notifications after they've signed up for the service, Widup said.
A December 2018 Experion report predicts that hackers will have their eyes on fingerprint ID sensors, facial recognition and passcodes. It's not clear what other biometric data hackers will attempt to steal, but hackers will find the data and sell it if they can find a buyer, Widup said.
Once a company has to report its security breach, the overall brand could lose some credibility in the eyes of consumers, she said, adding that the company can no longer control how the data is used once it's stolen.
"It's really easy to cross that line into creepy," Widup said. "It's about being a steward of the data of the information and not necessarily considering it just your data because you've collected it."