Dashing deliveries from Amazon
Last week Amazon launched the Amazon Dash Button for Amazon Prime customers based in the UK.The Dash Button allows customers to order supplies of products… Read more
Last week Amazon launched the Amazon Dash Button for Amazon Prime customers based in the UK.The Dash Button allows customers to order supplies of products such as toilet roll, cat food or even play-doh at the touch of a Wi-Fi connected button. We consider some of the legal implications of this new product.
Each Dash Button is paired with a product of your choice which you press when running low. The service is configurable, so you can be notified on the Amazon app with each order, or so that new products won’t be ordered until your prior order has been delivered, regardless of how many times the Dash Button is pressed. This means there is no need to worry about young fingers pushing the button multiple times, but also that the Dash Button is not without user interface or control.
The Dash Button is only a stepping stone for Amazon as it delves deeper into the Internet of Things – the connectivity of everyday objects with the infrastructure of the Internet. Coming next is the Amazon Dash Replenishment Service, which enables connected devices to order products from Amazon when your supplies are running low. Your printer could soon make sure that you never run out of toner and your American-style fridge could automatically reorder water filters as they near their end of life.
With the General Data Protection Regulation (“GDPR”) coming into force on 25 May 2018, Amazon and other companies looking to develop new products for the Internet of Things will need to be aware of the developments in EU data protection law which will affect how they design and bring their devices to market.
Under the GDPR data controllers will be obliged to adopt technical and organisational measures to protect data and must demonstrate that they are adhering to the concepts of privacy by design and privacy by default. This will include conducting data protection impact assessments in certain circumstances. If the impact assessment indicated that the processing would result in a high risk to individuals, then businesses will be required to consult with the national data protection authority before any processing takes place.
Devices such as the Dash Button will enable companies to collect data relating to shopping and consumption habits which is very valuable for retailers looking to market their products, but will reveal significant information about peoples’ lives. Under the GDPR, those who collect and use personal data will need a legal basis for doing so, likely to be consent in this case. However, consent will become harder to obtain. Data controllers will need to demonstrate that they have obtained consent through a clear affirmative act which was feely given, specific, informed and unambiguous. Pushing a button alone to order laundry detergent is not going to be sufficient. This means that making sure that privacy notices are clear and available and that consent is captured at the time the Dash Button is purchased will be key, combined with some means of user interface for communication with the customer. Successful businesses will likely have to be innovative, utilising icons and alerts on devices together with some sort of dashboard for the account, to keep both customers and regulators on board.
With the maximum fines under the GDPR reaching EUR 20 million or 4% of annual worldwide turnover, a striking contrast with the current maximum fine of £500,000 under the Data Protection Act 1998, compliance with GDPR is going to be a serious issue which is going to grab board level attention. The Dash Button is just a pre-cursor for the automated world to come, but organisations need to keep in mind customers’ privacy as well as convenience.
To read more on existing drone regulations, please refer to our article Drone law: heading into turbulence?