Author: Andy Miller

Google’s £44 Million GDPR Fine

Posted on by Andy Miller

Google has been fined a massive 50 million euros (£44m) for breach of GDPR dating back to May 2018 and relating to how well people were informed about how Google collected data to personalise advertising, and the matter of consent.

Who?

Google (Alphabet Inc) has been fined £44 million by the French data regulator CNIL.  The two complaints that brought about the investigation and the fine were filed in 2018 by privacy rights groups noyb and La Quadrature du Net (LQDN).

Even though the fine is eye-wateringly large, the maximum fine for large companies like Google under GDPR could have been 4% of annual turnover, which could equate to around €4bn.

Ad Personalisation & Google

Google personalises the adverts that are displayed when a person is signed in to their Google account based on ad-personalisation settings. When a person is signed out of their Google account, they are still subject to ad-personalisation across the Web on Google’s partner websites and apps based on their browsing history, and on Google Search based on their previous activity such as previous searches.

What & Why?

The two privacy groups complained that Google didn’t have a valid legal basis to process user data for ad-personalisation because of issues relating to transparency and consent.

The reasons for Google receiving the fine were that:

  1. Google failed to provide its users with transparent and understandable information on its data use policies.  This was because the “essential information” that users would have needed to understand how Google collected data to personalise advertising, and the extent of that information, was too difficult to find because it was spread across several documents.  This meant that it was only fully accessible after several steps e.g. up to five or six actions. Ultimately, this meant that users were unable to exercise their right to opt out of data-processing for personalisation of ads.
  2. It was also found that the option to personalise ads was “pre-ticked” when creating an account.  This meant that users were essentially giving consent in full for all the processing operations purposes carried out by Google based on this consent.  Under GDPR however, consent should be ‘specific’ only if it is given distinctly for each purpose.

Other Complaints

Privacy group noyb has also filed more formal complaints against Amazon, Apple, Google, Netflix, Spotify, and other entertainment streaming services. The reason, according to noyb, is that when people request a copy of the personal data that these companies hold on them, some of it may not be supplied in a format that can be easily understood.  GDPR requires companies to supply users with a copy of their data that is both machine-readable and can be easily understood.

What Does This Mean For Your Business?

Even before GDPR was introduced, many technology and security commentators predicted that the big names e.g. Google and Facebook would be the first to be targeted by privacy campaigners, and that appears to be what is happening here. In this case however, the fact that the complaints have created a record-breaking fine shows that there was genuine concern about a lack of compliance with GDPR from a company that many would have expected to be on top of the legislation and setting an example. It is likely that Google will need to make some significant modifications to some aspects of its services now, and that this may prompt other large tech companies to do the same in order to avoid similar fines and bad publicity.

This case is a reminder to businesses, particularly larger ones, that although GDPR appears to have been buried by concerns about Brexit, the need to stay compliant with GDPR is an ongoing process and should still be high on business agenda.

Biggest Personal Data Breach Puts Password Effectiveness In The Spotlight

Posted on by Andy Miller

Password-based authentication has long been known to be less secure than other methods such as multi-step verification or biometrics, but a massive leak of a staggering 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion email address and password combinations recently shared on hacking forums has brought the inherent weaknesses of password authentication into sharp focus.

What Leak?

The massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service.

In his post, Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources. The data contains 772,904,991 unique email addresses, and 21,222,975 unique passwords, all of which can be put into 1,160,253,228 unique combinations.

Risks

Clearly, Mr Hunt has an interest in publicising the existence of Collection #1 and the fact that it has been incorporated into his service to help publicise the ‘Have I Been Pwned’ service, but as Mr Hunt points out, if your password/email combinations are part of the collection and have not been changed since, you could face some serious risks.  For example:

  • Credential stuffing attacks. In this case, 2.7 billion of the username and password combinations could be put into a list and used for credential stuffing.  This is where cyber-criminals rely on the fact that people may use the same username and password combinations for multiple websites, and therefore, the criminals use software to automate the process of trying the breached username/password pairs on many other websites to see if they can gain access.
  • Phishing attacks.  The stolen credentials can be used to automatically send malicious emails to a victim’s list of contacts.
  • Targeted digital identity attacks. The breached credentials can be used in targeted attacks designed to steal a victim’s entire digital identity or steal their money or even to compromise their social media network data.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

If you’re worried that people in your organisation may be using passwords that have been stolen, Troy Hunt has provided a list of them here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

ICO Urges Businesses To Prepare For No-Deal Brexit

Posted on by Andy Miller

In a Westminster eForum event on GDPR practice in London, the director of strategic policy at the Information Commissioner’s Office, Jonathan Bamford, is reported to have urged businesses to prepare for a no-deal Brexit in terms of planning to stop interruption in data flows from Europe.

Why?

As explained by parliament.uk, three-quarters of the UK’s cross border data flows are with EU countries, and when the UK leaves the EU, it will leave the legal framework for moving data between the UK and the EU. This means that businesses may need to act to make sure that data flows can continue uninterrupted between the UK and the EU.  With a no-deal Brexit, this is going to be of particular importance because there may be no ‘adequacy agreement’ in place for some time.

What Is An Adequacy Agreement?

A decision of adequacy/adequacy agreement is made by the EC if they consider a country outside of the EU, which the UK will be after 29th March, as somewhere that provides a level of protection which is equivalent to that of the EU.  A ‘decision of adequacy’ will allow data to flow into and out of the EU without the need for other safeguards.

Unfortunately, if there is a no-deal Brexit, and there is no adequacy decision in place for some time, businesses and institutions may find themselves having to use alternative legal mechanisms that could be bureaucratic, costly, and could cause delays.

Not In Place Before Brexit

The ICO has warned that an adequacy agreement will not be in place before Brexit, hence the need for businesses to think about making some plans.

What Sort of Things May Be Affected?

Examples of things businesses may need to consider in order to maintain data flow post-Brexit include:

  • Organisations that receive data from Europe, and use cloud services based within the EU may need to think about what risks and disruption they could face if no adequacy agreement is in place, and what other mechanisms and agreements they may need to seek.
  • Finding out where company data is stored and who has access to it may be an issue.  Is your data stored in the UK or EU? There is also a need to understand data flow.
  • Possibly needing to renegotiate data services supplier contracts for GDPR (as some banks have done).
  • Global organisations operating in multiple jurisdictions may need to look at how data is transferred within their organisation and whether corporate rules need to be changed.
  • Organisations may need to look at where their riskiest and/or more important data transfers are, and plan to get Standard Contractual Clauses (SCCs) implemented i.e. contractual forms approved by the EU Commission as offering adequate protection for the personal data of individuals.

Absorbed in UK Law

For most businesses, because GDPR will be absorbed into UK law at the point of Brexit, there should no major changes to the basic data rules that businesses need to follow.

Approved Industry Codes
Some business commentators have suggested that data transfers to ‘third countries’ could be carried out under an EDPB (European Data Protection Board) approved industry code if there was no adequacy agreement in place. This, however, looks unlikely to materialise in time for Brexit.

What Does This Mean For Your Business?

The UK must be able to move data between itself and the EU in order to maintain a healthy trading relationship after Brexit.  Also, UK citizens need to be assured that their personal data will be safeguarded after the UK leaves the EU.  Yes, GDPR will be absorbed into UK law as the Data Protection Bill on leaving the EU, which should bring satisfactory parity between UK and EU data laws, but it is worrying to think that UK businesses (and consumers) could be exposed to risks because there is unlikely to be an adequacy agreement in place for some time.

A no-deal Brexit could, therefore, threaten post-Brexit data and create more bureaucracy for UK businesses that will need to work to ensure that they are seen to be ‘safe importers’ of data in data transfers agreements.

This is a complicated-enough subject for businesses anyway without considering the need to look at more pieces of the puzzle.  Businesses can find more information on the subject by studying the ICO’s guidance on ‘Data Protection if There’s No Brexit Deal’ here: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal/  and by studying the ICO’s ‘Leaving the EU – Six Steps To Take’ here: https://ico.org.uk/media/2553958/leaving-the-eu-six-steps-to-take.pdf.

No More Windows 10 Mobile Support – Microsoft Suggests Switching

Posted on by Andy Miller

Microsoft has formally announced on its support pages that, as of December 10th 2019, Windows 10 Mobile users can no longer expect security updates and support, and Microsoft recommends that customers then move to a supported Android or iOS device.

Windows 10 Mobile

Windows 10 Mobile is a mobile OS that was released in 2015 as the successor of Windows Phone 8.1 and is essentially an edition of Windows 10 running on devices that have less than a 9-inch screen. 

The end of Windows 10 Mobile support comes just over four years after Microsoft’s failed acquisition of Nokia’s devices and services businesses, which led to Microsoft having to write off $7.6 billion in 2015.  At the time, tech commentators wondered why Microsoft had got into the low-margin, highly competitive phone business, and Microsoft shifted its strategy from the standalone phone business to a strategy to grow the Windows ecosystem.  This effectively put the writing on the wall for Windows 10 Mobile, and many tech commentators have been waiting over the years for the formal announcement for the end of support to come.

What Is Coming To An End?

In this announcement, Microsoft has said that new security updates, non-security hot-fixes, free assisted support options, or online technical content updates from Microsoft for free will end for users of Windows 10 Mobile as of December 10, 2019. 

Microsoft has also stressed that, although third parties or paid support programs may still provide ongoing support, Microsoft support will not publicly provide updates or patches for Windows 10 Mobile after that date.

The announcement does not mean that Windows 10 Mobile devices will shut down with the cessation of support, but that continuing to use the devices afterwards will mean higher risks because of issues such as the lack of security updates and the phasing-out of backups.

Which Models?

Microsoft says that only device models that are eligible for Windows 10 Mobile, version 1709 are supported through the December 10th end date. Also, for Lumia 640 and 640 XL phone models, Window 10 Mobile version 1703 was the last supported OS version and will reach end of support on June 11th, 2019.

What Now?

The suggestion from Microsoft itself to Windows 10 Mobile customers is to move to a supported Android or iOS device.

Those customers who plan to keep using their Windows 10 Mobile device after the December 10th support cut-off date have been encouraged by Microsoft to manually create a backup before that date.  This can be done using Settings->Update & Security->Backup>More Options and then tapping on ‘Back up now’.

What Does This Mean For Your Business?

This announcement from Microsoft is certainly not unexpected.  Where commercial customers are concerned, they have the same cut-off dates as domestic customers, but Microsoft has said that it will be working with many commercial customers to ensure a successful migration to a supported platform prior to the end of support date. 

This is an acceptance and acknowledgement by Microsoft that most of the partners and customers of businesses already use Android or iOS platforms and devices.

Some commentators have suggested that the move to end support for Windows 10 Mobile may also be a way for Microsoft to clear the decks ready for the introduction of a new folding smartphone, codenamed ‘Andromeda’.  This remains to be seen.

£15K Fine For Ignoring Data Access Requests

Posted on by Andy Miller

SCL Elections, the parent company of the now defunct Cambridge Analytica which was famously involved in the Facebook profile harvesting scandal, has been fined £15,000 for failing to respond to a data access request from a US citizen, and for ignoring an enforcement notice by the UK’s Information Commissioner’s Office (ICO).

Data Protection Act

The fine was made for a breach of the Data Protection Act which was in force for all at the time of the data request, which was originally made back in 2017.  GDPR, which came into force on 25th May 2018 (to replace the Data Protection Directive) covers the data protection rights of EU citizens.

The person who made the data request in this case, however, was US citizen Professor David Carroll, and SCL Elections wrongly believed that because he was not a UK citizen, he had no more right to request access to data “than a member of the Taliban sitting in a cave in Afghanistan”.

What Happened?

Professor David Carroll, who was based in New York in May 2017 at the time of his original data request under UK Data Protection Act, asked SCL Elections’ Cambridge Analytica branch in the UK to provide all the data it had gathered on him. Under that law, SCL Elections should have responded within 40 days with a copy of the data, the source of the data, and stating if the organisation had given / intended to give the data to others.

Professor Carroll, a Democrat, was reported to have been interested from an academic perspective in the practice of political ad targeting in elections and believed that he may have been targeted with messages that criticised Secretary Hillary Clinton with falsified or exaggerated information that may have negatively affected his sentiment about her candidacy.

Sent Basic Information On A Spreadsheet

Some weeks after Professor Carroll’s subject access request in early 2017, SCL Elections sent him a spreadsheet of basic information that it held about him.

However, that information contained accurate predictions of Professor Carroll’s views on some issues and had scored Carroll a nine 9 out of 10 on what it called a “traditional social and moral values importance rank”.

Wanted To Know How

This prompted Professor Carroll to submit a second request to SCL Elections, this time to find out what that ranking meant and what it was based on, and where the data about him came from. This second request was ignored by SCL.

The CEO of Cambridge Analytica at the time, Alexander Nix, told a UK parliamentary committee that his company would not provide American citizens, like David Carroll, all the data it holds on them, or tell them where the data came from, and Nix (mistakenly) said that there was no legislation in the US that allowed individuals to make such a request.

ICO Involved

The ICO then became involved with the UK’s Information Commissioner, Elizabeth Denham, sending a letter to SCL Elections (Cambridge Analytica) asking where the data on Professor Carroll came from, and what had been done with it.  A section 40 enforcement notice was also issued in May 2018 to SCL Elections, thereby making it a criminal matter if they failed to comply by responding to the request and by providing the full records as requested by Carroll. No records were forthcoming, which resulted in the recent prosecution, the first against Cambridge Analytica.

During the case at Hendon Magistrates Court, it was revealed that SCL Elections had a turnover of £25.1m and profits of £2.3m in 2016.  The judge fined SCL Elections £15,000 for failing to comply with the section 40 enforcement notice from the ICO and ordered the company (whose affairs are being handled by administrators, Crowe UK) to pay a contribution of £6,000 to the ICO’s legal costs, and a victim surcharge of £170.

Some Mitigating Circumstances

Although Counsel for SCL Elections’ administrators acknowledged that SCL elections had failed to respond to the section 40 enforcement notice, they did highlight some mitigating circumstances, such as the company’s computer servers being seized by the ICO following a raid on the SCL Elections premises in March 2018.

What Does This Mean For Your Business?

This case shows that ignorance of data protection law is not a defence and that businesses and organisations need to protect their customers, stakeholders, and themselves by making sure that they fully understand and comply with data protection laws. This is particularly relevant in the UK since the introduction of GDPR.

As pointed out by Information Commissioner Elizabeth Denham in this case, companies and organisations that handle personal data need to respect people’s legal privacy rights and to understand that wherever a person lives in the world, if their data is being processed by a UK company, UK data protection laws apply. This case has also highlighted the fact that where there is no compliance with the law, and where ICO enforcement notices are ignored, action will be taken that could be very costly to the subject of that action.

Fake News Fact Checkers Working With Facebook

Posted on by Andy Miller

London-based, registered charity ‘Full Fact’ will now be working for Facebook, reviewing stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

Why?

The UK Brexit referendum, the 2017 UK general election, and the U.S. presidential election were both found to have suffered interference in the form of so-called ‘fake news’ / misinformation spread via Facebook which appears to have affected the outcomes by influencing voters.

For example, back in 2018, it was revealed that London-based data analytics company, Cambridge Analytica, which was once headed by Trump’s key adviser Steve Bannon, had illegally harvested 50 million Facebook profiles in early 2014 in order to build a software program that was used to predict and generate personalised political adverts to influence choices at the ballot box in the last U.S. election. Russia was also implicated in trying to influence voters via Facebook.

Chief executive of Facebook, Mark Zuckerberg, was made to appear before the U.S. Congress in April to talk about how Facebook is tackling false reports, and even recently a video that was shared via Facebook (which had 4 million views before being taken down) falsely suggested that smart meters emit radiation levels that are harmful to health. The information in the video was believed by many even though it was false.

Scoring System

Back in August 2018, it was revealed that for 2 years Facebook had been trying to manage some misinformation issues by using a system (operated by its own ‘misinformation team’) that allocated a trustworthiness score to some members.  Facebook is reported to be already working with fact-checkers in more than 20 countries. Facebook is also reported to have had a working relationship with Full Fact since 2016.

Full Fact’s System

This new system from third-party Full Fact will now focus on Facebook in the UK.  When users flag up to Facebook what they suspect may be false content, the Full Fact team will identify and review public pictures, videos or stories and use a rating system that will categorise them as true, false or a mixture of accurate and inaccurate content.  Users will then be told if the story they’ve shared, or are about to share, has been checked by Full Fact, and they’ll be given the option to read more about the claim’s source, but will not be stopped from sharing anything.

Also, the false rating system should mean that false content will appear lower in news feeds, so it reaches fewer people. Satire from a page or domain that is a known satire publication will not be penalised.

Like other Facebook third-party fact-checkers, Full Fact will be able to act against pages and domains that repeatedly share false-rated content e.g. by reducing by their distribution and by reducing their ability to monetise and advertise.  Also, Full Fact should be able to stop repeat offenders from registering as a news page on Facebook.

Assurances

Full Fact has published assurances that among other things, they won’t be given access to Facebook users’ private data for any reason, Facebook will have no control over what they choose to check, and they will operate in a way that is independent, impartial and open.

Political Ad Transparency – New Rules

In October last year, Facebook also announced that a new rule for the UK now means that anyone who wishes a place an advert relating to a live political issue or promoting a UK political candidate, referencing political figures, political parties, elections, legislation before Parliament and past referenda that are the subject of national debate, will need to prove their identity, and prove that they are based in the UK. The adverts they post will also have to carry a “Paid for by” disclaimer to enable Facebook users to see who they are engaging with when viewing the ad.

What Does This Mean For Your Business?

As users of social networks, we don’t want to see false news, and false news that influences the outcome of important issues (e.g. elections and referendums) have a knock-on effect to the economic and trade environment which, in turn, affects businesses.

Facebook appears to have lost a lot of trust over the Cambridge Analytica (SCL Elections) scandal, findings that Facebook was used to distribute posts of Russian origin to influence opinion in the U.S. election, and that the platform was also used by parties wishing to influence the outcome of the UK Referendum. Facebook, therefore, must show that it is taking the kind of action that doesn’t stifle free speech but does go some way to tackling the spread of misinformation via its platform.

There remains, however, some criticism in this case that Facebook may still be acting too slowly and not decisively enough, given the speed by which some false content can amass millions of views.

Reddit Locks Out Users Over Security Concerns

Posted on by Andy Miller

Online community Reddit shut some users out of their accounts and forced password resets due to “unusual activity” which may have been a ‘credential stuffing’ attempt by hackers.

Reddit

California-based Reddit, founded in 2005, is a kind social network / online community.  Reddit, which is the fifth most popular site in the United States (Alexa figures), is split into over a million communities called “subreddits,” each one covering a different topic.  Reddit allows registered members to submit content to the site, and that content is voted up and down by other members.

What Happened With The Lockdown?

According to Reddit’s own reports, a large group of accounts had to be locked down due to a security concern which took the form of account activity that resembled someone using very simple passwords or the reuse of credentials across multiple websites or services – in other words, a credential-stuffing attempt.

Reddit’s admin known as “u/Sporkicide” reported that it appeared likely that a list of usernames and passwords, possibly taken from another compromised site, were being tried against other popular sites, including Reddit, to see if they work e.g. if a user had used the same username and password for multiple websites.

Reddit advised customers, those with locked accounts would be allowed to reset their passwords and thereby unlock and restore their accounts. Reddit said that the notification to do so would be a notification to the account (affected customers could still log in to get it) and/or an email to any support ticket raised by affected users.

Not The First Time

Back in August 2018 Reddit reported that between a June 14th and June 18, an attacker compromised some employee accounts through their cloud and source code hosting providers and was able to access some user data, including email addresses and a complete 2007 database backup containing old passwords and early Reddit user data from the site’s launch in 2005 through May 2007.

Advice

As well as announcing that it was conducting a “painstaking investigation” of the incident, Reddit advised users to make sure that they choose strong passwords that are unique to Reddit, update their email addresses to enable automated password resets, and add two-factor authentication their accounts to make them more secure.

What Does This Mean For Your Business?

This story highlights the importance of not using the same username and password across many websites.  The danger is that, if hackers can steal login credentials in a hack on one website, they or other attackers who have purchased / acquired the stolen data may well try to use that login data on many other popular websites to try and gain access.

Also, where other security measures such as two-factor authentication are available, it is worth using it as an extra obstacle to the kind of simple, opportunistic credential-stuffing attempts that are all-too-frequent.

Businesses / organisations should always encourage users to use login details that are unique to their website, give visual guidance on password strength on set-up, and specify a certain number of required characters for passwords e.g. including a capital letter, numbers, other special characters, and making the password a certain length.  As well as being a bit more secure, this can also help to stop people from using exactly the same password between multiple sites.

Windows 7 Activation Errors A Coincidence Says Microsoft

Posted on by Andy Miller

Just after the January update on 8th January, Windows 7 users began to experience activation errors, but Microsoft put the issues down to coincidence, despite admitting that it had reverted changes made to activation servers in the update in order to fix the problem.

What Is An Activation Error?

Windows Activation Technologies are used by Microsoft to help confirm that the copy of Windows 7 that is a user is running on their computer is genuine.  For example, the activation key is a 25-character code that is located on the Certificate of Authenticity label or on the proof of license label, and validation feature of Activation Technologies is the online process where users must verify that the copy of Windows 7 they’re running on their computer is activated correctly and is genuine.

An activation error, therefore, is when a user’s system wrongly notifies them that their copy of Windows is not genuine.

Which Update?

On 8th January, there was a monthly ‘Rollup’ security update for Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1.  The update was designed to improve and fix certain issues with Windows 7 e.g. fixing a vulnerability known as ‘Speculative Store Bypass’, and adding security updates to Windows Kernel, Windows Storage and Filesystems, Windows Wireless Networking, and the Microsoft JET Database Engine.

Coincidence?

According to Microsoft, the fact that users received “Windows is not genuine”, and “Your computer might be running a counterfeit copy of Windows” notification at the same time as the January updates (KB4480960 and KB4480970) were introduced was simply a coincidence. Despite describing it as such, the problems were listed a table of “known issues in this update” on Microsoft’s support pages.

Reverted The Change

Microsoft announced on 9th January that it has fixed the issue by reverting the change that was made to Microsoft Activation and Validation servers.

What Does This Mean For Your Business?

For many Windows 7 users, the change meant a day of disruption on the Tuesday of the first full week back after the Christmas and New Year break.  For many of these users however, this appears to be one more in a long line of incidents, nudges and pointers that look like they’re designed to encourage them to finally make the switch over to Microsoft’s Windows 10 and its SaaS model. Microsoft ended its mainstream support for Windows 7 on January 13th, 2015, and the extended support will only continue until January 14th, 2020, after which time Microsoft says on its website that users can “keep the good times rolling by moving to Windows 10”.

Over Half Of Us Will Buy Food Online By 2021

Posted on by Andy Miller

A study by Capgemini has found that more than half of UK consumers will order their groceries from online retailers by 2021.

40% Now

The study found that a massive 40% of customers already do their grocery shopping online, and that 43% of customers shop for food online at least once a week.

Big Issues Around Delivery

The study also revealed some big issues that customers had around the subject of delivery.

For example, even though 59% of customers said that they are not satisfied with current high delivery prices, only 1% of retailers are willing to cover full delivery costs for shopping.

Also, nearly half of the consumers surveyed said they would stop spending with a retailer if they had a bad delivery experience, but on the upside, 53% of customers who said that if they had a good delivery experience with a brand, they would be willing to pay for a membership if it meant that they could keep having good delivery experiences in the future.

The study also showed that 65% of customers are finding greater satisfaction in using delivery services other than traditional supermarket retailers e.g. Ocado and Google Express.  In fact, 64% of those surveyed said they didn’t care whether their products were delivered by a brand or by a third party, and some of those surveyed said they’d even deliver products to their nearby neighbours in return for an incentive from the retailer.

The ‘Last-Mile’ Cost

One of the big problems that retailers face in delivery groceries is that the so-called ‘last-mile’.  This is the movement of goods from a transportation hub to the final delivery destination (i.e. your home), and this part of the supply chain accounts for 41% of the overall delivery cost for retailers.  This may explain the reluctance of retailers to cover full delivery costs for shopping, as shown by the survey.

Disconnect

The study also highlights a disconnect between the expectations of customers and retailers.  For example, although customers appear to place a high value on low delivery costs, only 30% of retailers think this is important.  Also, whereas a massive 73% of customers want to choose a convenient delivery time slot for goods, only 19% of retailers regard this as a priority.

What Does This Mean For Your Business?

There is no doubt that many of us are now used to (and prefer) online shopping for many things, including groceries, and if, as the study shows, even more of us are going to be doing our grocery shopping online going forward, grocery retailers are faced with several challenges in order to meet rising customer expectations and retain loyalty.  For example, retailers will need to be able to provide last-mile delivery services that customers value, without damaging their own profitability.  Also, retailers need to take more notice generally of issues around delivery that customers really value e.g. offering convenient delivery time slots/methods for goods, and minimising delivery costs to customers.

One thing the study has indicated is that customers may even be willing to try new delivery ideas, and even pay more if they can be assured of consistently better delivery experiences.  With this in mind, and with customers rising, grocery retailers are likely to invest more in automating warehouse and product sorting to reduce costs and embrace new things such as machine learning and automation technology to make the supply chain more efficient.