“Smart mirrors” and marketing: privacy concerns

Who: Marketers and smart mirror users

Where: UK

When: 16 May 2016

Law stated as at: 16 May 2016

What happened:

Mirrors are the latest in a long list of everyday items to get a 21st century, internet-of-things-style facelift.

Not happy with satisfying its primary purpose of allowing users to admire themselves, the common or garden mirror could soon be much “smarter”, enabling it to fulfil a whole host of purposes that have not previously been part of the mirror’s repertoire.

Cutting edge “hidden display technology” is being used in mirrors in a range of contexts and for different purposes, including the following:

1. In a retail context:

Mirrors in fitting rooms allow customers to try on a piece of clothing in a different colour (without having to go through the hassle of changing), view accessories which may go with their chosen attire, and place items in a virtual shopping basket.

Meanwhile, data collected by the mirror allows the retailer to gain insights into valuable customer behaviour.

2. For health monitoring purposes:

Mirrors are currently being developed which use facial recognition technology, gas sensors and 3D scanners to look for signs of stress or anxiety, to give an indication of how much a person drinks or smokes and to spot weight gain or loss, before giving an overall “health score”.

3. To help manage busy lives:

Interactive mirrors may be used in your home to let you know first thing in the morning what your schedule is for the day, where you need to be, and when (as well as telling you a myriad of other things)!

For marketers, these “smart” or interactive mirrors provide exciting new ways of delivering targeted advertising; be it in relation to health and beauty products, vitamins or restaurant suggestions (to name but a few).

Why this matters: 

“Smart” mirrors, including the use of them to deliver targeted advertising, raise important data protection and privacy related concerns.

In particular, organisations will need to consider the extent to which the EU’s Data Protection Directive (implemented in the UK by the Data Protection Act 1998) and the e-Privacy Directive (implemented in the UK by the Privacy and Electronic Communications Regulations 2003) apply to them, and how they ensure compliance.

The impact of the General Data Protection Regulation (“GDPR“) – which will come into force on 25 May 2018 and replace the Data Protection Directive – will also need to be borne into account.

Some key questions to consider are as follows:

1. To what extent are you processing “personal data”, bearing in mind that this definition has been (and continues to be) interpreted broadly?
2. To what extent are you processing “sensitive personal data” or “special categories of personal data” (as defined under the GDPR)? Under the GDPR, “special categories of personal data” explicitly include genetic or biometric data, and Member States have a right to impose further conditions – including restrictions – on the grounds for processing those categories of data.
3. Are you processing personal data for your own purposes (so as to be a data controller) or on behalf of another organisation (so as to be a data processor)?
4. Are you (perhaps inadvertently) processing personal data relating to children? If so, what are the implications of doing so? This will be particularly relevant under the GDPR.
5. Do you need to obtain an individual’s consent to process their personal data for the purposes of delivering targeted advertising? This will depend on the types of personal data being processed, and whether the restrictions on profiling/automated decision making apply.
6. Practically, how will you gather consent from, and communicate rights to, individuals whose personal data will be processed for the purposes of delivering targeted advertising? This is going to be challenging, particularly if the mirror is used in a public space.
7. How will you keep personal data secure? This is a key requirement under the Data Protection Directive and under the GDPR; the implications of a security breach are potentially severe, both in terms of financial and reputational damage.
8. How will you comply with individuals’ rights in relation to their personal data, which are expanded under the GDPR to include a right to object to specific types of processing, a right to erasure and a right to “restrict” processing?

“Smart” mirrors are another example of the obvious tension between technological innovation and legal compliance.

When considering whether to use “smart” mirrors, we recommend carrying out a full assessment of the data protection and privacy implications of doing so.