Skip to main content

Track and Trace

Track and trace solutions which follow goods from the factory to consumers are solving a range of supply chain issues. We look at how track and trace solutions are developing and the risk implications surrounding these technologies.

Track and trace solutions which follow goods from the factory to consumers are solving a range of supply chain issues. We look at how track and trace solutions are developing and the risk implications surrounding these technologies.

Manufacturers, retailers and distributors have for a long time tagged goods in order to help with stock control. Historically this may have been through serial numbers and barcodes. As data analytics has become increasingly important, retailers are increasingly looking to use metrics to demonstrate supply chain efficiencies and provide transparency over things like delivery times and sustainability information for a better customer experience, and this flows down through the supply chain with wholesalers and logistics providers sometimes leading the way by implementing their own solutions. Well designed solutions can trace goods into the hands of the ultimate customer and then feedback data on their use and condition, thus allowing data mining to improve products, ensure their maintenance and of course potentially understand and up-sell to customers.

We continue to live in a global market, with international purchasing which brings with it increased risks of counterfeiting and illegal imports. Tackling the problem is a core concern for every actor in the supply chain. Suppliers and distributors need to be able to identify the problem; law enforcement agencies must have effective ways of protecting the public interest; and buyers need to be reassured if international trade is to thrive. There have even been a number of regulations from the European Commission requiring track and trace solutions for public health and customs purposes.

We explain some of the different technologies deployed in traceability schemes, key strategic questions to consider when structuring your contracts and some of the different legal aspects to the data generated in the process.   


Bar codes or QR codes feeding into a centralised database

Retailers may want different partners to input data or scan an item at various stages in the life of a product. By maintaining a centralised data repository, the retailer can use the data to oversee the various stages in the production process through distribution and sale. Tagged assets can continue to be traced through their lifecycle.

When using bar codes, manufacturers need to align their processes to apply or generate a code (potentially from a third party source, such as the ultimate retailer, who controls and issues unique codes for a production item or even the specific goods). The code may be applied to the goods or packaging and so there is a certain degree of planning and cost involved.

The European Commission has imposed this type of solution for verifying the authenticity of medicinal and tobacco products under the Falsified Medicines Directive and the Tobacco Products Directive, requiring industry to establish central data repository systems allowing bar codes to be generated and goods to be tracked at all stages from manufacture to point of sale. The Directives require unique IDs to be generated and applied at product level, and for the unique IDs to be kept by the manufacturer and transmitted to the central depository. The system ensures the IDs remain unique and regulators as well as everyone in the supply chain have transparency of information, helping to ensure product safety. There are some interesting (and transferable) lessons to be learned from these regulatory implementations, as it hasn't always been straightforward to get different stakeholders pulling together in the same direction.

Bar code and QR code solutions can be a reliable part of track and trace, but do not proactively feed data to those who want or need it – bar codes must be read at points in the supply chain. Moreover, they require centralised solutions to authenticate IDs. For these reasons other solutions are emerging with their own distinct advantages and disadvantages.

Connected devices / Internet of Things (IoT):

Predominantly used at present for tracking larger assets (e.g. shipping containers or delivery vehicles), a connected IoT solution can provide real-time data on the location of products or other key status indicators, like temperature or shock.

However, more and more connected devices are coming to market from TVs and fridges to children's toys and fire alarms. The potential to track goods into the hands of consumers is rapidly growing.

IoT devices can provide data streams to end users, where the design and functionality of the user interface will be important for establishing a brand and recognition. Of course, these devices can also collect data on the use of the goods and consumer behaviours. Organisations purchasing or developing this type of solution may therefore want to own or have exclusive rights in the user interface and control who in the supply chain can provide or receive data. They may need to establish technical requirements to operate with the user interface and the contract with the hardware vendor includes the necessary rights for interoperability if the user interface is procured from a separate vendor.

IoT devices, as the name suggestions, rely on connectivity which is usually achieved via wifi or mobile networks. If you're tracking devices using a global connectivity solution, you will also need to check your solution is suitably 'future-proofed' with countries switching off their 2G and even 3G networks, with more plans to do so (

A significant issue for many consumer organisations is the security and privacy concerns surrounding connected devices, and the legal implications are explained below.


Distributed ledger technology has been generating a lot of excitement for a while, and has the promise of doing away with central repositories. There have been a number of use cases promoted for the blockchain as a track and trace solutions, often for tracking high value or unique assets, such as diamonds, jewellery or artworks. However, we have yet to see a successful use-case for blockchain as a track and trace solution that overcomes the inherent difficultly in creating an inseparable link between the blockchain token and the physical asset itself.

Having considered some of the key technologies in brief, what are the likely commercial and legal implications of implementing or updating track and trace solutions?

Issues to consider

There are a number of issues to think through in how the solution is designed and the various relationships which must be managed.

  • Third party integration: The real value from track and trace solutions often comes from integrations with third parties, for example if a retailer provides a platform for suppliers to input their data or if a logistics company allows customers to access and view data on their deliveries.
  • Centralised authority: If you're tracking delivery vans, containers or other items where the real interest is in what's inside them, who will have access to the manifest data? If you're tracking larger or more valuable assets, do you need verification that the manifest matches the contents? If so, who will do this?
  • Ownership of the solution: One of the key strategic questions to consider before embarking on a track and trace project is whether you require exclusive use of the solution to establish a brand name, for example if you want to differentiate your core product by providing a unique data service on top, or alternatively if you simply want something off-the-shelf that can be more easily swapped out for a competing product further down the line. A hybrid strategy could be to use different vendors for different components, which can prove more challenging from a contractual / operational risk perspective, as a systems integration role may be required.

These and other issues should be considered at the design phase of a track and trace solution. The likely implications are the need to capture the responsibilities of different players in the chain in contracts and operational documentation. Not only must each player adhere to standards and implement technology to ensure the solutions work, but there will be an ongoing need to deal with support issues and technical failures. 


Track and trace solutions generate vast amounts of data. Often, there is significant commercial focus around implementing track and trace in order to maximise the value from data, but too often the detail is overlooked.

  • Commercialisation:
    • It’s key to consider at the outset what value you want to derive from the data. What rights will you give customers and business partners to access the data? Will you generate any analytics using the data, and what sort of data products do you want to generate? You should make sure you have licence terms in place with any third parties accessing the data making sure you retain the rights you need for any future commercial exploitation. If you are running centralised track and trace solutions, you may also want to ensure you are free to use data deposited with you for your own analytics and potentially to share information or provide analytics with your business partners.
    • Your supply contracts should make clear who owns or can exploit the rights in the data, who backs up the data and whether you need any support with data portability on termination. 
  • Personal data: If you’re tracking people, such as delivery drivers, or analysing the data from users to understand their behaviours then you will need to think about your GDPR obligations. You may well be obliged to carry out a Data Protection Impact Assessment to understand the GDPR implications. GDPR can affect the contracting structure depending on permissions you are seeking or giving and transfers of personal data overseas. It will also affect the security you must apply. Often, businesses think they are dealing with anonymous information, but the EU hurdle to qualify as personal data is much lower than people imagine. Assessing the situation early can ensure data does not need to later be scrapped or inhibited in use, not to mention help to avoid the prospect of regulatory enforcement.
  • Non-personal data: You may have missed it, but there’s now a regulation on the free-flow of non-personal data ( Initially, this will mainly impact buyers in the public sector who need to think carefully before imposing any restrictions on the territory of data storage, but look out for the codes of conduct envisaged under this regulation which the Commission will encourage service providers to develop by 29 November 2020 and implement six months later. 

Building track and trace solutions


The usual risks associated with technology implementations are likely to appear as well, including integration with third parties and software ownership and licensing concerns. Liability for inaccuracy or even fraud among the various participants must also be considered, particularly where data generated at one stage in the supply chain are relied on by a number of players at different stages in the supply chain who wouldn't otherwise have a direct connection.

Track and trace solutions should be seen not just as a technology implementation but as creating an ecosystem with different participants in which the risks need to be managed.

The choice of technology will also impact on the approach taken and the nature of the risks involved. Assessing the risks at the outset is paramount to ensure maximum value from track and trace implementations. As we look to the future, automation and artificial intelligence together with the decreasing costs of IoT devices will change the picture yet further. Track and trace remains a promising field for creating value out of the supply chain and to enable new and novel solutions to product lifecycle management and customer engagement.

Sign up to our email digest

Click to subscribe or manage your email preferences.