By Giulio Coraggio (Milan)

According to an SAP report, The Internet of Things (IoT) will generate US$329 billion of revenue in the retail sector by 2018. But such massive growth comes along with legal issues concerning privacy and cybersecurity, as well as product liability.

What is IoT?

The Internet of Things is the constellation of inanimate objects designed with built-in wireless connectivity − a vast network of personal devices that allow users to connect to the worldwide web from anywhere and allows usage to be monitored, controlled and linked over the Internet, often via a mobile app. In the world of fashion and retail, IoT allows companies to better know their customers and customize and improve purchasing experiences and services by utilizing sensors and big data analytics. It is still early to predict the major areas of growth for the IoT, but the following are some of the most interesting apparent trends:

Multichannel retail

Commonly known as “me-tailing”, this refers to retailers’ ability to collect real-time data about customers from different sources, such as mobile, social media, in-store channels and wearable technologies, so that retailers can offer very personalized interactions with customers.

Understanding customer tendencies is essential to showing customers products that are right for them. Multichannel retail is already common for online stores and increasingly popular for physical stores, but it entails detailed filtering and profiling of customer preferences.

Likewise, increasing simplicity of payments is one of the most relevant areas of growth for IoT technologies. Smartphones, smartwatches and other wearable technologies can communicate with retailers’ payment systems to facilitate the payment process.


As in the US, RFIDs (radio frequency identification chips) are already commonly used by retailers in Europe to prevent theft, but can now also be used to collect additional information on customer preferences and location, as well as for inventory management due to integration with the retailer’s online sales channel. QR (quick response) codes on product labels provide customers with additional information about items and enable retailers to perform in-store marketing activities.

Retailers can use IoT sensor technology to change the environment when shoppers are in proximity – for example, by projecting an interactive display. IoT sensor technology can also be used for in-store analytics, such as tracking and measuring customer flow in specific areas of stores.

Some commentators view Bluetooth Low Energy (BLE) applications – commonly known as beacons – as the future of the European retail sector. Most smartphones and wearable devices are already equipped with applications that can communicate with beacon devices located in shops, enabling retailers to track and send notifications to customers while shopping.

The main advantage of beacons is their ability to accurately detect approximate customer location, making in-store marketing, tracking and payments more effective. Customers might even receive push marketing notifications on their smartphones as they approach discounted products.


Various legal issues arise from these and other IoT technologies that collect information about consumers, either individually or in the form of aggregate “big data.” Some of the most prevalent legal risks for retailers are outlined below.


European privacy regulators recently raised concerns about IoT technologies in the retail sector, and, in particular, their apparent lack of transparency. Customers are not told when, how or for what purpose their personal data is collected or processed, or to whom such data is communicated. The extent of information collected and the type of customer consent required to utilize such technologies also pose issues, especially since even anonymized collected data can be used to generate detailed user profiles. The European Commission is already attempting to find efficient privacy solutions with respect to RFIDs, but similar solutions must be explored for IoT technologies.


IoT technologies that permit the exchange of large data volumes present serious cybersecurity risks. In addition, loss of customer data resulting from use of IoT technologies can lead to privacy-related liability for the data breach, resulting in fines of up to 5 percent of the retailer’s global turnover under new EU privacy regulations. However, implementing stringent security measures might lead to practical inefficiencies in the effective use of IoT technologies.

Liability for different involved entities

A common issue arising from IoT technologies relates to the liability of different entities involved in managing the technology. Indeed, retailers often rely on technologies provided by information technology suppliers that, in turn, manage a cloud database through subcontractors. The issue arising from this scenario, in which a number of parties are involved, is how retailers should be protected – both in terms of service levels from their counterparties and in terms of managing potential reputational damage in case of data loss or cybercrime. Another open question relates to which of these parties “owns” the collected data that triggers the compliance obligations mentioned above.

 As IoT technologies are adopted in retail sectors, retailers will have to confront these legal issues in a manner that balances business focus with providing adequate customer protection in a way that is financially feasible for retailers and suppliers alike.