The websites of major corporations repeatedly breach the Data Protection Act

Online sales continue to grow at exponential rates; almost 60% of Spanish consumers buy at least once a month through an e-commerce site. This is what PwC's Total Retail 2017 report says, advising companies to invest in data analysis in order to consolidate this trend and offer a better browsing experience to their users.

To help them in this, there are a number of tools (scripts) sold by companies specialized in online marketing that have been specifically developed to analyse users' behaviour within a website. These tools range from basic metrics referring to the number of visits, the most viewed pages and the number of hours logged on to the so-called session replays, applications that capture absolutely everything that a user does within a website: mouse movements and clicks, complete browsing history, analysis of the keys pressed and – this is what the controversy is all about – the personal data we enter.

Researchers at Princeton University have published a study in which they assert that almost 500 of the world's most popular websites use this type of session replay scripts, which "snatch" the personal data of the people who visit them without telling them beforehand. Furthermore, the experts warn that there is a risk of this data being leaked and that sensitive data, such as passwords, bank accounts and medical reports, may end up in the hands of third parties.

Know your users to be more competitive

"As a general rule, companies use these programmes to improve the design of their websites and, above all, to improve the interaction with their users", says Josep Maria Català, professor at the UOC's Faculty of Economics and Business, who suggests that their main appeal for companies lies in the possibility of ascertaining the steps in the purchase process and avoiding baskets being dropped, or improving the targeting of their last-minute promotions and special offers. Català points out that, in the past, consumer studies were very expensive because companies either had to rely on qualitative techniques, such as interviews with selected audiences or group sessions, or contract market surveys. "Now, by simply putting a line of code in the website, all these costs have been reduced and all the information is collected automatically", he explains.

The competitiveness factor is also part of the equation. The more information companies have about their users, the better they can plan what they are going to sell and the more effectively they will be able to implement their marketing strategies. In fact, the professor considers that this information is "vital if companies are not to lose positions to their competitors".

Systematic breaches of the Personal Data Protection Act

"The first thing that must be done in these cases is to determine whether the purpose for collecting users' personal data is legitimate since, if it isn't, they can't be processed," explains Carles San José, professor at the UOC's Faculty of Law and Political Science. Second, the party responsible for processing the data, which in this case is the company owning the website, must inform the user expressly, precisely and unequivocally about the purpose for which the data will be collected and also who will receive the information. Furthermore, the user must give consent to his or her activity being tracked or monitored while browsing through the website, and also to the possibility that his or her data may be made available to third parties. "This consent must be given expressly if specially protected personal data are collected (Art. 7 of the Spanish Personal Data Protection Act (LOPD); for example, health-related data), and it must be possible to prove that this consent has been given", San José explains. In turn, the owner of the website may not use the data obtained for any purpose other than that which has been notified to the user, and it may only collect and process the data that are appropriate, relevant and not excessive for the intended purpose (which must have been notified to the user).

Thus, companies may commit systematic violations of the Personal Data Protection Act, for example, a minor infringement for not adequately informing the user, a serious infringement for processing data without consent, or a very serious infringement for processing specially protected data without consent. The Law provides for fines between 900 and 600,000 euros, depending on the severity of the infringement. Carles San José considers that "apparently, the use of scripts raises serious doubts from the viewpoint of the regulations concerning the protection of personal data".

More transparency to create trust

The warnings made about these practices may make consumers wary, with adverse consequences for the companies who use them. "Many users deliberately give inaccurate data, a phenomenon known as dirty data, and this impacts on the success of marketing campaigns", Josep Maria Català explains. The professor gives three recommendations to companies that already use tracking scripts or are considering implementing them on their websites:

• Transparency in the relationship with the customer: as is already usual practice in telephone calls, inform the user that his or her session may be recorded in order to improve the website's usability. If the company says this clearly and is transparent, it will get more accurate data.

• Contract trustworthy suppliers: if a business wishes to install a script on its website, it is advisable to contract it to a specialized company that, preferably, is based in Spain and can certify that it complies with currently valid regulations.

• Good data analysis: Once the desired information has been obtained, the company must process it properly and use it to improve its processes. This way, both the company and the user will benefit.

In short, ensuring good communication between the company and the user, and setting certain limits that are known by both parties, may help electronic commerce to grow in popularity for years to come.