Retailers are concerned with the impact of potential privacy legislation out of Washington, D.C., but they don't know what exactly to be afraid of since a number of scenarios could unfold based on activity in Congress, Cathy Hotka, VP of IT at the National Retail Federation (NRF) told an audience at the Brainstorm Group's E-Business Integration Conference Series recently in Chicago.

Based in Washington, where it has easy access to Congress for lobbying and information-gathering purposes, the NRF is the world's largest retail trade association. The group's IT council represents 45 member companies including the largest retailers. Hotka is a liaison between the retail industry's IT management and Congress.

Retailers compile customer data first from the store, then from catalogs and now from the Web. While brick and mortar retailers have always treated customer data as their lifeblood, Web-based retailers have access to much more data, such as what the customer looked at and did not buy. "This has flipped out members of Congress. They don't like it. They think it's creepy," said Hotka. The first Internet customer data privacy legislation was introduced five years ago, and Hotka expects this year one or more bills will pass governing collection of customer data on the Internet.

Meanwhile retailers are moving towards installation of kiosks that will enable customers to order items that may be out of stock, or customize items whether in the store or not. Retailers that have storefronts, Web sites and catalogs are moving to exploit the opportunity to create a single customer view across those different channels.

Today retailers manage customer data from Web interactions, store and catalog sales in very different ways. Most have the information in a data "silo" based on the data source, such as sale date, payment method, item purchased or a loyalty card. Only the savviest retailers are working on a single customer view across the data silos. "It's possible that legislation would make segregation of Web data mandatory, which would eliminate the multi-channel benefits of customer data," she said. On the other hand, if legislation required that the customer data be aggregated, it would take years to complete the work.

From a security perspective, a single database of customer data would pose an inviting target for hackers. Retailers would have to take pains to protect the data, and there is no industry-accepted way to performance security or privacy audits, Hotka said. "The word 'reasonable' keeps popping up in legislation," as a standard, she said.

The stakes are high because retailers are finding that customers who buy in more than one channel spend four times as much as customers who shop in a single channel.

Internationally, European Union privacy directives have already had a major impact on how data about European customers can be handled. The EU gives customers the right to opt out of a retailer's customer data, to view what information is in the database and to correct any inaccuracies found. This level of sophistication, Hotka suggested, is well beyond the current capability of most U.S. retailers. Most retail CIOs for example, would not know how to remove a customer from their database, she said.

Legislators sometimes have little grasp of the impact of laws they are considering. For example, a bill that would have forbidden the purchase of data by trading partners would have put out of business, because it would have prevented them from being able to pass customer-shipping information to an overnight carrier. Hotka spends much of her time discussing the impact of proposed bills with legislators to prevent this type of unintended consequence.

The uncertainty has led to a suspension of activity in the area of customer database consolidation in the retail industry, she said. Instead, many high-end retailers are focusing on customer relationship management projects.

Privacy issues are related to security issues, but the differences are many. In general, retailers are not putting a high priority on e-security. "They think they are fine," Hotka said. But, she predicted, "Someone in retailing one day will be the Exxon Valdez of security. Until then, retailers may have exhibit the best security practices."