Digital deals, retail risks — legal watchpoints for digital transformations

• Omnichannel retailing, for example, is merging online and offline channels to provide consumers with a seamless shopping experience.
• Retailers are investing in sophisticated e-commerce platforms integrated with mobile apps, CRM systems and payment gateways to better meet the demands of modern customers.
• Other retailers are outsourcing the development of their IT infrastructure to access specialised expertise, scale operations quickly and reduce costs.  
• Artificial intelligence and machine learning are being leveraged to enhance customer service through chatbots, personalised marketing efforts, and optimised inventory management. Advanced analytics enables retailers to gain valuable insights into consumer behaviour, forecast trends, and make data-driven decisions.
• IoT devices are revolutionising the retail sector by enabling real-time inventory tracking, enhancing supply chain efficiency, and providing personalised in-store experiences. We could go on…

Whilst digital transformation offers significant benefits, it also introduces legal complexities and risks that retailers must navigate wisely. Gartner's Digital Markets 2024 Tech Trends Survey found that 49% of retailers regret one or more software purchases made in the past year and a half and top factors included difficulty training and onboarding users (36%) and poor tech support (31%). When digital transformation projects do go wrong, in retail, the consequences can be immediate and severe. Issues with a new e-commerce platform or POS system can mean customers are unable to complete purchases, leading to direct revenue loss. Issues with buggy mobile apps or broken omnichannel experiences can frustrate customers, eroding loyalty.

Here, we look at just a few of the key considerations from a legal perspective that retailers should bear in mind when embarking on digital transformation journeys.

The importance of due diligence

Before diving into digital transformation projects, retailers must conduct thorough due diligence to avoid potential pitfalls. Before entering contracts with technology vendors or outsourcing partners, its critical to evaluate potential vendors and their technologies meticulously, ensuring they align with business objectives and existing infrastructure. Retailers should assess vendors' track records for similar projects and verify their financial stability. An understanding of the specific needs and challenges of the retail sector is crucial as these can differ significantly from other industries in terms of customer expectations and operational complexities.

Due diligence also encompasses assessing the legal implications of digital transformation projects. If seeking to use their own terms, retailers should ensure such terms are fit for purpose and capture the rights, remedies and other protections that will be required for the type of engagement. Digital transformation projects aren’t something retailers' legal teams will do every day and so a bespoke set of terms will likely be required. Equally, if the vendor's terms will be used, retailers should carefully examine such terms to identify potentially unacceptable risks.

Legal advisors (internal or external) can deliver the most benefit if engaged at the outset of the procurement process. Legal can provide useful input in structuring the procurement, for example, to maximise the competitive tension with multiple bidders. Good due diligence will also include an evaluation of the legal and regulatory implications of your new technologies, especially where customer data is involved or where a retailer operates across multiple jurisdictions as compliance obligations may vary. Legal can also play an important role in defining your core requirements and objectives (more on this below).

Lastly, due diligence should extend beyond the technical and legal to include cultural and operational fit. Digital transformation projects can be large-scale, long-duration and complex. They may also involve multiple third parties or require integration with legacy systems. They are sophisticated change programmes that often reshape how teams work, collaborate and deliver value and their success will often depend on how well internal users understand, accept and adopt the changes. A vendor's approach to collaboration, innovation and problem-solving can significantly influence the outcome and retailers should assess whether the vendor has a track record of supporting change management and user engagement. It's important these softer, people-centric elements make it into your contract and aren't just part of the sales pitch.

Clear scope and defining success

One of the most common causes of digital transformation failures is a poorly defined scope. For retailers, where the stakes are high and customer expectations are unforgiving, ambiguity in the scope can lead to misaligned expectations, delivery failures, and ultimately, disputes. From a legal perspective, a clear and detailed scope is not just project management best practice – it’s a critical risk mitigation tool.

When defining the scope as part of a contract's service description or one of multiple statements of work, it's important to articulate the "who", "what", "when", "where" and "how" of the project. This includes identifying the specific deliverables, timelines and responsibilities as well as things like the environment the solution will need to operate in (e.g. integrations). We also advise retail customers to ask themselves what success looks like in order to assess whether the scope is clearly aligned with such objectives.

A well-drafted scope will also serve as the foundation for holding the vendor accountable. If you believe the vendor has failed to deliver what was promised, its important that the contract describes the clear benchmark against which performance can be measured and remedies pursued. Without this, enforcing obligations or claiming breach of contract becomes significantly more difficult.

As alluded to already, involving Legal early will help to ensure that language used in the scoping process is precise, enforceable and aligned with your objectives.

Contracting for AI

Many retailers are seeking to embed artificial intelligence (AI) in their retail operations and many technology vendors are introducing AI capabilities as part of their solutions. Whether retailers are using AI for customer service chatbots, predictive analysis or dynamic pricing, retailers must approach AI contracting with a clear understanding of the unique legal and operational risks involved.

Retailers will need to assess the limitations of the technologies to carefully balance business expectations with a sound risk management approach. Retailers should ensure the relevant contract addresses intended use cases and performance thresholds. For example, if outputs are generated autonomously, it's important to allocate responsibility for errors or unintended consequences, particularly where customer experience is at stake.

Ownership and protection of proprietary data is an important consideration for any digital transformation project but it's particularly pertinent to the use of AI. Retailers will need to consider issues such as the ownership of AI outputs and whether the AI model is trained on the retailer's proprietary inputs.

Finally, given the evolving regulatory landscape around AI (such as the EU AI Act), contracts should include provisions ensuring compliance with applicable laws and the ability to adapt to future legal developments. Retailers may also seek robust provisions addressing ethical use, bias mitigation and human oversight, particularly if the AI solution is customer-facing. By proactively addressing these considerations in their contracts, retailers can leverage AI technologies effectively while safeguarding their interests and maintaining strong vendor relationships.

Cybersecurity

More than a third of global organisations have been the victim of a cyber-attack in the past year. Cybersecurity should therefore be at the forefront of retailers' considerations when undergoing digital transformation. The integration of new technologies will expand the retailers' digital footprint and, with it, their exposure to cyber threats. Digital transformation can often be performed piece-meal and the integration of new technologies with legacy infrastructure can introduce unanticipated vulnerabilities.

Recent high-profile incidents underscore the stakes. Earlier this year we saw Marks and Spencer (M&S) suffer a data breach which resulted in stolen customer data and disruption to its online sales. Co-op also faced operational disruption due to a ransomware attack targeting its supply chain. These events highlight how cyber incidents can potentially result in damage to the brand, lost revenue, contractual liabilities, as well as regulatory investigations.  

Retailers should ensure that cybersecurity is embedded into the design and procurement of digital solutions and that contracts include robust provisions around data protection, incident response and vendor obligations in the event of a breach. In preparing the contract, legal teams should work closely with the information security team to ensure appropriate technical and organisational measures are reflected in the contract and that the vendor is compliant with relevant standards (e.g. ISO 27001). The legal team should also ensure that liability caps and indemnities in the contract reflect the potential impact of a cyber event.

Ultimately, cybersecurity is not just an IT issue, it’s a legal and reputational risk that must be managed proactively from the outset of any digital transformation project.

Our market-leading technology law team has extensive experience and expertise advising both retailers and vendors in delivering digital transformation projects and are ideally placed to support you to achieve your strategic objectives when it comes to navigating the risks associated with such projects. For information, please get in touch with our team.