Data Privacy and the Consumer Relationship

The conversation around data privacy and trust is evolving. In allowing consumers the right to access and the right to delete personal information that a merchant maintains, the General Data Protection Regulation (GDPR) was the first sweeping law of its kind. The California Consumer Privacy Act (CCPA) followed not long after, and Washington state has been drafting its own legislature to provide its citizens with similar rights.

We at W. Capra believe that these legislative acts signal further legislation to come.. As we think about the future of customer data and privacy laws, however, it becomes clear that the relationship between merchants and their consumers is changing.

Is Legislation Necessary?

In order to understand why lawmakers deemed legislation necessary to address the collection of consumer data, it’s important to acknowledge that many US merchants have taken the approach that more data is better. In theory, any piece of data collected at consumer touchpoints can be used to know your customers and effectively target relevant messages to them:  address can be leveraged to communicate store openings, products viewed can be leveraged to tailor communications with consumers, browsing timing/habits can be leveraged to understand what time of day might be best to communicate with the consumer, etc. In practice, however, many merchants have collected more data than they know how to leverage.

While the practice of over-collection in itself is not criminal, it signals that merchants who are guilty of collecting data in this fashion haven’t placed a proper value on the data they’ve collected. This practice has created an ecosystem whereby merchants are hording PII data that the consumer may not be aware is in the merchant’s data warehouse. In many cases, the consumer did not expressly consent to the collection of this data— they’re not aware of how a merchant is using their data or who the merchant may be sharing their data with. This scenario becomes infinitely more complicated in the event of a breach.

It is this perceived loss of trust between consumers and merchants that have prompted lawmakers to enact legislation.

Re-Establishing Trust

The law, in and of itself, will do nothing to restore trust between consumers and merchants— trust is emotion-based, and it is incumbent upon the merchant to create this emotion in their customer experience. That said, merchants need to understand that their responsibility is not merely to comply with the law, but to address the concerns that the law is attempting to address.

Apple has notably addressed this perceived lack of trust in their consumer relations (see their latest Superbowl commercial), and we expect that more brands will begin to engage in a more open dialogue with their consumers around privacy, trust, and data collection. In truth, more merchants will have to engage in this discussion.

For today’s consumer, brand loyalty is more than a preference— it’s a choice to incorporate a brand into one’s lifestyle. The conversation around trust is changing. Merchants will no longer maintain relevance unless they begin to participate.

It is important for merchants to remember that one negative experience can overshadow more consistent positive experiences, and more data can equate to more exposure and more vulnerability under unfortunate circumstances.


Beyond direct dialogue with the consumer, merchants will need to actively demonstrate their commitment to the protection of data. This commitment is no longer a competitive strategy— it’s the law. Merchants need to ensure that their systems that touch consumer data comply with the CCPA, allowing for Verifiable Access Requests (VARs) from consumers and the processing of access/delete requests.

For further discussion around privacy and consumer engagement, including how to ensure compliance with the CCPA, contact Daniel at [email protected].

Verified by MonsterInsights