Mobile May Force You To Rewrite Your Shoplifting Definitions. And 100 Other Things You Haven't Yet Thought Of

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

Mobile payment is going to change retail in an unknown number of unknown ways, and your lawyers will have healthy employment. Consider in-aisle checkout and shoplifting rules. Today, customers who put products in a concealed place—a pocket, backpack, purse, etc.—while still in the store can be convicted of shoplifting even if they have yet to reach the POS checkout area. The conceal part of that action is considered evidence of criminal intent.

Now let's see you try and enforce that rule when you have in-aisle mobile checkout. If someone scans and pays for an item in aisle 12, is that person now permitted to place it in a pocket? He or she now owns it, right? And what if that person had merely put it in a mobile shopping cart while walking to the other end of the store to compare two items before purchasing one?

There is clearly an easy policy answer for that—it's been paid for via mobile; in-pocket is legal. If it's only in a virtual shopping cart, then in-pocket is a no-no. But how many retailers have thought through these types of mobile policy implications?

There is going to be some new retail mobile-payment technology, and I have no idea what it is going to be. But whatever it is, it will create jobs. Jobs for lawyers, that is. Every new technological advance pushes the envelope of existing law and regulation, and retail payment is no different.

Because the law works by defining rights and responsibilities of parties, the definitions themselves are tested by new technologies. That's why every new technology should have a legal, privacy and compliance review. Consider a simple RFID payment system. Consumers fill a basket of goods in the store, and as they walk out a device in the store queries all of the items in the basket, determines the identity of the item, looks up the current price, and then charges a contactless credit/debit card of the consumer. Pretty cool. Let's assume everything works as planned.

The first problem (or advantage) here is privacy. By linking the specific items purchased to the identifiable payment system, we not only know that Joe likes peanut butter and bananas but that he chooses Jif (creamy, not organic). Our barcode scanner already told us that, though. Now, however, we know the specific lot number he purchased. This may help us manage a product recall of a specific lot. It may also create a duty by the retailer to notify the customer that there has, in fact, been a safety or other recall, because the retailer now has that information available.

Another privacy/legal issue relates to the fact that the RFID tags may be queried after the consumer leaves the store. Just as the grocer can ask "what's in the bag?" so, too, can the cops—or the robbers. Absent some type of "kill switch," a person could walk down the street and "read" what other people are wearing and what's in their shopping bags. That person may also be able to learn when and where the items were purchased. Every functionality comes with privacy, security and legal implications.

Some of the security issues are obvious, others not so much. Sure, the contactless payment system must be secured, and there has to be some "second factor" authentication that the purchaser is authorized. There also has to be a mechanism to ensure that the payment system is not charged without authorization and that the merchant isn't falsely "loading up" on items. Before deploying a system, a retailer must consider all of the things that could reasonably go wrong (and many of them that would not be so reasonable).

There's a lot of law out there. There's a lot of law out there: laws that regulate retailers' behavior (e.g., can't collect ZIP codes in California), duties to warn, duties to protect, etc. How does your new technology impact each of these laws? How are consumers likely to use and misuse the technology, and how might it impact your rights and theirs? If you can walk out with a shopping cart of goods, is it shoplifting if someone puts items into a purse or (as in the movie Animal House) shoves a London broil down their pants? When and where is the "purchase" made? Remember, as a retailer, you have to consider not only appropriate uses of the technology but also inappropriate uses.

For example, with many communities enacting "paper (plastic) bag" laws that charge for store-supplied bags, the fact that a customer puts items into a backpack or a pocket, coupled with a scanning and payment system that no longer requires a visit to the register, may no longer prove to be evidence of intent to shoplift. If you add the fact that customers may be able to pay for a product even after they leave the confines of the store, you have muddied the waters on the law of shoplifting.

You also have to consider the possibility that your employees will misuse the technology. Whenever information is collected, there will be an implied (and sometimes express) duty to protect that data, and to use that data solely for the purposes for which it was collected. Although these duties are not always apparent under U.S. law (more so under European law), it's a good working assumption. Many new technologies create massive amounts of new data streams or slice and dice existing data streams. These create new duties and new potential liabilities.

New technologies present opportunities for discriminatory treatment of customers, which can lead to consumer dissatisfaction and litigation. For example, if your store randomly checks out the shopping baskets of people who paid with an RFID system, then you run the risk that these checks aren't really "random" but unlawfully target particular protected classes of people. If a new technology is deployed in a discriminatory way (only in particular stores with particular kinds of clientele), this, too, can lead either to discrimination litigation or to customer unhappiness. Some discrimination is good—and indeed leads to customization that can be beneficial to the customer. Some is plain illegal. You'd better know the difference.

This just scratches the surface of some of the legal issues that can happen with new technologies. And don't think that, as a retailer, you can sue the manufacturer of the device you deploy. Even if the company represents that its technology is "legal," it all depends on how that tech is used and deployed—and that choice is typically up to retailers themselves. You know the argument—"guns don't kill people." So before you deploy, look at what could go wrong, because it probably will.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.