EU data regime offers peek into customer tracking by firms here

Methods include Hilfiger’s use of ‘wifi tracking’ to monitor ‘window display conversion’

Like me, you were probably blue in the face receiving emails over the past month or so from various companies and organisations alerting you to changes to their privacy policies brought about by the European Union’s new General Data Protection Regulation (GDPR) regime.

The silver lining, in theory at least, is that you should no longer receive the annoying spam that you never solicited in the first place.

For the ones that you wanted to retain, you probably just clicked on the link provided and “opted in” to the policies without bothering to actually read them. Who has the time for that, right?

It’s true that the policy statements are dry fare but they also offer an insight into how companies, big and small, conduct their business here, and the tactics they employ to entice you to purchase their products or services.


Take Clayton Hotels as an example. It is one of the brands used by Dalata, Ireland's biggest hotel group. It gives extensive information on the more than 30 cookies it uses to hold information about your previous visits to its website.

In some cases this information can be held for up to two years and it includes "retargeting" advertisements for the Maldron Hotel, its sister brand, and other "partner" hotels.

There’s also a warning that disabling cookies “will mean you lose a lot of functionality”.

Ad blockers

In the UK, the Thistle hotel chain uses devices that track your location, your IP address and tell the company if you are using an ad blocker. Information about ad blockers may be used to “reinsert adverts and to understand how ad blockers and other privacy tools are being used by our visitors”.

If you use its social media sites, the company may “access, use and store information about you” and this may be shared with its “advertising network partners” to enable them to target ads at you.

Thistle also declares that it “may compare” its customer database with its commercial customers or partner databases either directly or through a third party. Why? “To plan joint marketing activities and promotions.”

In the restaurant sector, the policies of Brasserie Sixty6 on South Great George’s Street in Dublin run to 10 pages. Among other things, it reveals that vouchers for the restaurant “have no expiry date” and will always be accepted even though “they will state one year” validity on the card. And it “may be able” to replace a lost or stolen voucher if you have the reference number. Good to know.

By contrast, the privacy policy of Peploe’s on St Stephen’s Green runs to a mere 12 lines. Its daily lunch menu is longer than that.

It is rare that we get an insight into how media-shy Irish retailer Dunnes Stores does its business, so GDPR offers a peek inside the door.

Be aware that if you use the free wifi in its stores the company is collecting information about you and it uses “automated methods” to “understand which Dunnes Stores outlet you usually shop at, whether you have been shopping recently or not, and which products you purchase or which you might be interested in hearing about in future”.

It will “never ask a customer to confirm any account or credit card details via email” but if you want to know what information Dunnes Stores is holding on you, then you will need to complete an “access request form” and include a copy of your passport or national identity card.

In the transport sector, Irish Ferries collects video footage at its port locations and aboard its vessels. So be on your best behaviour.

Interestingly, “personal information may be held in the United States”, where the ferry group’s online chat services are hosted.

Privacy Shield

Irish Ferries says “the US entity has signed up to the EU/US Privacy Shield in order to ensure that your personal information is protected to at least Irish standards”.

Such sharing of information was at the heart of the long-running battle fought by Austrian lawyer Max Schrems, who said his rights were breached by the transfer of his personal data by Facebook's European headquarters in Ireland to its US parent company.

US law allows such data to be accessed and processed by state agencies in the interests of national security. Schrems’ seven-year battle went all the way to the European Court of Justice and brought down Safe Harbour, a data-transfer mechanism used by thousands of companies.

Ticketmaster, which is owned by Live Nation, is another company that may transfer your information outside of Europe to provide a "seamless experience"when "world-class acts are touring".

American fashion brand Tommy Hilfiger, meanwhile, does a good impression of Big Brother with its privacy terms.

Hilfiger uses “wifi tracking” to “monitor window display conversion”. In other words, the number of people that look at a window display and then go into a shop.

“In our stores, we may conduct wifi tracking to monitor visits to our store and in-store movement of customers,” it states, adding that such tracking will be indicated with a logo either in the shop or the window. A case of buyer beware, if ever there was one.

Twitter: @CiaranHancockIT