Amazon Go versus the GDPR

Dhara Shah

Associate Editor

Loyola University Chicago School of Law, JD 2020

New data privacy regulations entail questioning both current and future technologies. Recently, Amazon has introduced a store concept that eliminates everyone’s least favorite things about shopping, long lines and small talk. Amazon Go is the grocery store of the future and these stores allow consumers to walk in, pick up the items that they need, and then walk right back out. That’s it. No long lines, no cashiers, no shopping carts. However, as great as this concept seems, there are still concerns from a data privacy standpoint as Amazon needs to collect personal data from its consumers in order to be able to lawfully execute these checkout-less stores.

What Data is Collected?

Collecting data is a controversial practice. However, Amazon Go’s collection of data transcends this issue to a new plane. In order to function as a “grab and go,” Amazon must not only collect basic information such as transaction data, but also collect information pertaining to how the consumer shops. This means recording and calculating every item the consumer picks up and decides to put back, the aisles walked down, and how often certain areas of the store are visited. While this isn’t the first thing that the average customer thinks is being collected and they may not raise an issue, it is still very important for companies to consider as General Data Protection Regulation (GDPR) and GDPR-like laws are introduced across the world.

What Data is “Normally” Collected?

The main argument of Amazon supporters is that the data being collected through Amazon Go does not exceed what is already being collected through loyalty programs and credit cards at traditional grocery stores. Under Amazon’s practice, information is being collected in a different way and all by one company while in traditional grocery stores information is arguably at a higher risk with it being collected and stored by a variety of companies, ranging from the store to the loyalty program.

A large concern also exists with the false rumor that Amazon is employing facial-recognition software in their new stores. However, Amazon has specifically stated that it does not employ facial-recognition software, and the information that is collected is also collected during traditional modes of shopping – no new data is being collected for this new technology.

How does the GDPR affect Amazon Go?

The GDPR must be considered when analyzing if this method of data collection meets compliance standards or if it breaks data privacy laws. The GDPR mandates that data collection should satisfy at least one of the six legal grounds. The most important and relevant legal grounds to Amazon Go are seen to be (a) consent, (b) that the processing is necessary for the performance of a contract, and (f) a legitimate interest.

The GDPR requires consumer consent for data collection to have the upmost transparency. Amazon meets this requirement with a “Terms of Service” for the consumer to view and agree to when signing up for an Amazon Prime account, which is necessary to shop at an Amazon Go store. Part (b) GDPR also allows for data collection when the processing of data is necessary for the performance of a contract. Amazon’s usual methods of data collection and use regarding their online store are perfectly legal, thus it follows that no issues should be raised for the Amazon Go stores. Both of these different shopping platforms track and process the user’s “footprint”, or how they use the store – whether online or in person, in order to better the user’s experience and service use overall.

Amazon’s legitimate interest in collecting user data is also an area of contention. Amazon can be seen to have a legitimate interest in tracking what a user buys in order to properly function as a “grab and go” store. However, does such an interest extend to the collection of user data to help improve the service the company is providing? As the GDPR and other data privacy laws go into effect, the answer to this question will become clearer. However, for now, it has been argued that Amazon does have a legitimate interest in not only collecting and tracking user data, but also in analyzing and implementing it to enhance the quality of its service. Amazon thrives not only because of its ability to provide a wide range of products to consumers, but because its data collection practices enable the consumer to always see and find the products they want through its service. In order to make this happen, collection and analysis of user data can be seen to have a legitimate interest.

This “grab and go” grocery store of the future that Amazon has pioneered will only continue to expand. Sam’s Club has already unveiled “Sam’s Club Now” which implements a concept similar to Amazon to help streamline the user’s experience within the store. While more companies adapt and expand their technological reach, the law will need to continue to grow as well. As more data privacy regulations are introduced to compliment the GDPR, companies must keep the specific requirements in mind to ensure that their new technologies are implemented to comply with such laws.