Last week, the EU Data Act – or Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data, to give it its formal title – came into effect throughout the EU member states.

Users of connected products in the EU now have a legal right to access data generated through their use of such products and related services. These range from data collected by smart tech devices (such as washing machines, wearable fitness trackers, voice activated AI and robot vacuum cleaners) to electric and GPS enabled cars, as well online data dashboards and remote monitoring apps. Recognising that data-driven technologies have had a transformative effect on the economy, the European Commission hopes to unlock the valuable data generated by connected products and services through the “Internet of Things” (IoT). This applies to all users, including business, and not just consumers.

The subsequent use of the data by the user for lawful purposes is unrestricted. Where the data cannot be directly accessed by the user, providers are required to make the data easily available, without undue delay, free of charge and in an accessible format.

Importantly, the Act does not alter obligations to protect personal data and minimise its collection under the GDPR and, accordingly, does not grant data controllers new permission to process or disclose personal data in a way which would be incompatible with the GDPR. Also, the requirement to disclose data does not extend to additional insights or conclusions obtained by the service provider, as a result of financial investment or other allocation of resources (such as proprietary algorithms or other IPR), as the provider may wish to monetise these data sets separately.

One aspiration of the Commission is that alternative service offerings will emerge and open up competitive markets for data services. For example, until now, Google (the parent company of Fitbit) has had an exclusive monopoly over the provision of enhanced data analytics and insights services based on the data collected by Fitbit smartwatches and charges users around £80 per year in the UK to access “Fitbit Premium”. It is likely that in response to this new legislation, competing services will be launched and Google will be required to transfer the underlying tracking data to those competitors free of charge (although not the enhanced analytics generated by the Premium service).

Whilst the EU Data Act does not apply in the UK, any providers of IoT products that supply into the EU will need to be aware of the new requirements and have in place timely procedures to ensure compliance. Penalties are set at a national level and determined by each member state. If there is also a breach of the GDPR (such as a failure to grant a right of access to personal data), additional fines and sanctions may be imposed by the applicable data regulator.

Ultimately, through the legislation, the EU is continuing its drive to create a more equal playing field for businesses operating in the online space and tackling the dominance and significant market powers of the big data platforms. Notably, implementation comes hot on the heels of the Commission’s decision earlier this month (5 September 2025) to fine Google €2.95 billion for favouring its own advertising technology services to the detriment of competing providers. Although the UK Government has not gone as far or as fast with its proposals to regulate smart-data access, the direction of travel is similar and businesses in the UK can expect to be required to grant greater data sharing rights to tech users in future.

Picture credit: MixMagic

The growth in online retail hit a 13-year high in 2020, as bricks and mortar retailers were forced to close their doors for large parts of the year.

The momentum behind eCommerce was already gathering pace, but the global pandemic has only served to accelerate this growth, resulting in an increase in online retail sales of 36% year-on-year in 2020, according to the latest IMRG Capgemini Online Retail Index.

Government-imposed restrictions were debilitating for the high street, but presented online retailers with the upper hand, as consumers continued to move towards digital channels in an attempt to navigate a series of tiered lockdowns.

There’s little doubt that retail in 2020 was fundamentally shaped by the coronavirus. As we continue on the roadmap to recovery, the question now is whether the online momentum can be sustained, and whether online retailers can capitalise on the largest growth seen in the market since 2007.

Data, data, data

While adaptability was crucial in 2020, it’s on the utilisation of customer information that will be key to providing a more personalised and targeted consumer approach moving forward – particularly for retailers trying to harness the last year’s online trading boom now that physical stores are re-opening in the UK.

Even retailers without an online sales platform, such as Primark, often have a strong online presence, utilising social media channels, influencers and online gaming. This can help retailers stay connected with consumers, build a sense of community and loyalty to the brand and maintain a relevance in the virtual world.

The main commercial driver for online expansion, aside from sales, is the collection and utilisation of personal data. But retailers have to be smart to maximise the potential this has and translate it into improvements in the customer journey and, ultimately, sales.

Since the implementation of the GDPR, consumers are increasingly savvy about the monetisation of their personal data and find certain marketing techniques intrusive. The ‘holy grail’ for retailers is to collect personal data in a discrete and authentic manner, whilst still complying with transparency and fairness obligations of the GDPR.

Challenges to online retailers

The challenge for retailers is that many consumers are tired of the over-use of marketing emails, although there is a proven record that these do lead to increased sales. Fairly recent changes to the interpretation of cookies rules in the UK (PECR) have made it harder to set cookies that are beneficial to retailers, rather than merely essential for the operation of the website. Many retailers are not yet completely compliant with these rules, demonstrating the tension between lawful practices and maintaining a competitive advantage.

Under PECR, retailers should obtain opt-in consent before setting cookies which track user behaviour on other websites. What’s more, they should have some form of marketing consent prior to sending any “abandon cart” emails that prompt consumers to complete the checkout process. Collecting this type of data is extremely valuable to retailers and helps inform future product lines, advertising campaigns and business strategy. Clearly, it’s not possible to obtain this kind of detailed personal data in real life – shop assistants are not about to starting following customers down the high street or harassing them to come to the checkout!

However, many retailers are able to combine online behaviour with real life activity to truly monopolise on consumer insights. For example, they can offer free Wi-Fi in-store and link reward cards to online accounts.

As we all adjust to living in the real world again, it will be interesting to see whether the online growth can be maintained and to what extent retailers are able to convert an enhanced online presence into sales in physical stores. Interestingly, the IMRG Capgemini Online Retail Index shows that it was actually multichannel retailers that performed better than online-only counterparts for the first time since 2017, with growth of 57% vs 9.1%.

Over the next 12 months we expect the UK data regulator, the ICO, to have a close eye on the innovative ways in which retailers are collecting data and perhaps start to take action against those who are not fully complying with the requirements of PECR.

If you would like to understand more about the latest regulations on data, email Danielle Amor on danielle.amor@pannonecorporate-com.stackstaging.com or call 07920 237676.