Data privacy in loyalty programs is not just a legal obligation, it is a matter of consumer trust. Program members expect their data to be safe, secure and used to enhance their experience. This article explores the General Data Protection Regulation (GDPR) in the context of loyalty programs with guidance for other jurisdictions on the current gold standard of data protection and privacy for its collection, storage, use and access.
What is GDPR?
The General Data Protection Regulation (GDPR) is the toughest data privacy and security law in the world. It imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the UK and EU. The GDPR requires loyalty program providers to be transparent about how their program processes customer data, imposing harsh fines for those who violate its standards. For programs outside the UK and EU, adhering to the GDPR regulation shall lower the risk of non-compliance arising from similar legal changes in other jurisdictions.
What does GDPR involve and how do I comply?
Data protection principles
- Lawfulness, fairness and transparency: Data processing must be lawful, fair, and transparent to the member.
- Purpose limitation: Process data for the legitimate purposes specified explicitly to the member when you collected it.
- Data minimization: Collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy: Keep personal data accurate and up to date.
- Storage limitation: Only store personally identifiable data for as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability: The organisation’s ‘data controller’ is responsible for being able to demonstrate GDPR compliance with all principles.
Within your loyalty program you must consider the data protection principles in the design of all new and existing initiatives (e.g., when launching a new loyalty app you must think about what personal data the app may collect from users, consider ways to minimise the amount of data and how you will secure it).
Coop Denmark
In 2020, Coop Denmark implemented a new program feature allowing members to track their carbon footprint based on their purchases. They provided clear communication about the purpose of this data collection and offered an opt-out option for members who were not comfortable sharing data. Coop actively engages with its members about data privacy, regularly conducting surveys and holding open forums to gather feedback and address concerns.
Individual member rights
Loyalty program members are well protected under GDPR. Below are the member rights by which your loyalty program must be able to adhere to:
- Right to be informed: Regarding how member’s personal data is being collected, used, and stored, in a clear and transparent manner. This includes information about the purposes of processing, the types of data being collected, the recipients of the data, and the retention periods.
- Right to access: Right to access their personal data and understand how it is being used.
- Right to rectification: Right to correct any inaccurate or incomplete data.
- Right to erasure (right to be forgotten): In certain circumstances, the right to have personal data erased.
- Right to restrict processing: Right to restrict the processing of their personal data.
- Right to data portability: Right to move their personal data from one organisation to another.
- Right to object: Right to object to the processing of their personal data for certain purposes, such as direct marketing.
- Rights in relation to automated decision making and profiling: Right not to be subject to decisions that are based solely on automated processing, including profiling, which produce legal effects or significantly affect them. This right aims to protect individuals from being subjected to decisions that are made without human intervention and that could have negative consequences.
Data security
As a loyalty program manager you are required to handle data securely by implementing “appropriate technical and organisational measures.”
Technical measures can be anything from requiring your employees to use two-factor authentication on systems where personal data is stored, to contracting with platform providers that use end-to-end encryption.
Organisational measures are activities such as staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organisation who need it.
Additional requirements to be completed on a group-wide level and/or for the loyalty program as a standalone are DPIAs and DPOs.
Data Protection Impact Assessments (DPIAs): Organisations must conduct DPIAs for any processing that is likely to result in a high risk to the rights and freedoms of individuals.
Data Protection Officer (DPO): Certain organisations are required to appoint a DPO who is responsible for overseeing data protection compliance.
If a data breach does occur, you have 72 hours to inform those affected or you may face penalties.
Tip: If you use third-party service providers to facilitate your loyalty program, ensure that they also comply with GDPR standards. Implement written agreements with providers to guarantee data protection.
Marriott
Marriott International, which runs the Marriott Bonvoy loyalty program, experienced a significant data breach to their guest reservation system in 2018. The breach exposed personal information, including names, contact details, passport numbers, and payment card details, of around 500 million guests. The incident led to investigations and fines by multiple regulatory authorities.
Data processing
When processing member data, GDPR forbids its usage unless you can justify with one of the following reasons:
- The member gave you consent to process the data. (e.g. They’ve opted in to your marketing email list.)
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you must honour their decision.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
- You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
- You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis and the UK Information Commissioner’s Office provides further guidance on the matter.
Penalties
The fines for violating the GDPR can be very high. There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus members have the right to seek compensation for damages.
British Airways Executive Club
British Airways faced a data breach in 2018 that impacted customers of its Executive Club loyalty program. The breach involved the theft of personal and financial data, including credit card information, of approximately 420,000 customers. Hackers intercepted and collected payment details on the British Airways website and app. British Airways received a substantial fine from the UK’s Information Commissioner’s Office (ICO) for failing to protect customers’ personal information adequately and in addition, individuals affected were able to claim compensation.
What are the differences between the UK and EU GDPR?
Following the UK’s exit from the EU, it maintained the GDPR as part of its domestic law, known as the UK GDPR. The UK GDPR is nearly identical to the EU GDPR, with some specific provisions tailored for the UK.
- Regulatory Authority: In the EU, the GDPR is overseen by various national data protection authorities and the European Data Protection Board (EDPB). In the UK, the Information Commissioner’s Office (ICO) is the regulatory authority.
- Data breach notification: The UK GDPR has slightly different timeframes for data breach notification compared to the EU GDPR.
- Appointment of Data Protection Officers (DPOs): The UK GDPR has a higher threshold for mandatory DPO appointments compared to the EU GDPR.
- Penalties and Fines: The UK ICO has the power to impose slightly different fines and penalties for non-compliance compared to EU data protection authorities.
- One-Stop-Shop Mechanism: Allows businesses operating in multiple EU member states to deal primarily with one lead supervisory authority. However, businesses with operations in both the UK and EU may need to deal with both the ICO and EU supervisory authorities.
- Organisation Representative: The EU GDPR requires organisations outside the EU that process personal data of EU residents to appoint an EU representative. The UK GDPR does not have this requirement for organisations outside the UK.
- International Data Transfers: Data transfers between the UK and the EU are generally unaffected as the UK has granted adequacy to the EU, for now.
Tip: It is important to stay up to date on any changes or developments in data protection regulations as the landscape may evolve over time.
What is the EU Omnibus Directive?
The Omnibus Directive widens the scope of the current EU GDPR framework to expand transparency for consumers regarding price reductions, personalised prices, personal data, and the authenticity of customer reviews.
The Directive applies to:
- Businesses engaging in B2C online transactions with customers in the EU
- Businesses offering digital services to EU consumers where personal data (not financial) is payment
Prominent obligations
- Inform about the prior price in cases of price reduction (display lowest price within last 30 days when applicable).
- Check whether reviews actually come from consumers of the purchased and/or used the product/service and provide information on how you ensure this.
- Apply regulations of GDPR and consumer protection rights to contracts for the provision of digital content or digital services without the consumer paying a specific monetary amount, but in exchange for their personal data.
- Inform if the price presented is personalised on the basis of automated decision-making and profiling or not.
- Inform whether the third party offering the goods, services or digital content through the online marketplace is conducting online business and offering digital services in exchange of personal data over financial compensation.
Loyalty programs must adapt terms and conditions and similar documentation such as offers and information available to members, to inform them of their rights and how they can be exercised. This includes the information regarding the right of withdrawal, to make a complaint or to terminate the agreement.
Data protection and privacy around the world
Several countries and regions have implemented robust data protection and privacy regulations to safeguard individuals’ personal information.
Tip: This DLA Piper website is a handy resource which compiles information regarding data protection laws around the world.
Here are some more resources related to notable regulations across the globe.
California Consumer Privacy Act (CCPA), United States: https://oag.ca.gov/privacy/ccpa
Privacy Act, Australia: https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-and-the-privacy-act
Personal Information Protection and Electronic Documents Act (PIPEDA), Canada: https://www.priv.gc.ca/media/2038/guide_org_e.pdf
Privacy Act, New Zealand: https://privacy.org.nz/privacy-act-2020/privacy-principles/
Personal Data Protection Act (PDPA), Singapore: https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act
General Data Protection Law (LGPD), Brazil: https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/
Data Protection Authority (DPA), South Africa: https://www.dataguidance.com/notes/south-africa-data-protection-overview
Personal Data Protection Law, Turkey: https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6698&MevzuatTur=1&MevzuatTertip=5
These regulations vary in their scope, requirements, and enforcement mechanisms, but they all share the common goal of protecting individuals’ privacy and personal data in an increasingly digital world. Organisations that operate loyalty programs globally or handle the personal data of individuals in different jurisdictions must be aware of and comply with multiple data protection regulations.
Where can I go for support?
GDPR is a complex regulation with many nuances and it is important to consult with a legal professional or data protection expert. If you have questions about how it applies to your loyalty program reach out to the Loyalty & Reward Co team who can provide guidance as well as put you in touch with legal experts in your jurisdiction.
Referencias
Baker, A. (2018) ‘How the GDPR Affects Loyalty Programmes’, IT Governance Blog. Available at: https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-loyalty-programmes (Accessed: 7th December 2023)
Bannister, A. (2021) ‘British Airways agrees to pay victims of record-breaking data breach’, The Daily Swig. Available at: https://portswigger.net/daily-swig/british-airways-agrees-to-pay-victims-of-record-breaking-data-breach (Accessed: 15th December 2023)
Brierley (2022) ‘Loyalty Program Compliance with Data Security & Privacy Regulations’, Brierley Blog. Available at: https://www.brierley.com/blog/loyalty-program-compliance-with-data-security-privacy-regulations (Accessed: 7th December 2023)
Broumas, A. (2022) ‘Data Protection Aspects of Loyalty Schemes’, Law and Tech. Available at: https://lawandtech.eu/en/2022/01/02/data-protection-aspects-of-loyalty-schemes/ (Accessed: 7th December 2023)
Creaven, E. (2021) ‘The EU Omnibus Pricing Directive and What it Means for You’, Lexology. Available at: https://www.lexology.com/library/detail.aspx?g=efc2ff9a-2c4e-4291-96cc-613670813093 (Accessed: 12th December 2023)
Dempster, P. & Dixon, L. (2022) ‘Loyalty Programs and Data Protection: A Checklist for Program Providers’, Freeths Blog. Available at: https://www.freeths.co.uk/2022/09/12/loyalty-programs-and-data-protection-a-checklist-for-program-providers/#:~:text=The%20UK%20GDPR%20requires%20loyalty,Who%20you%20are (Accessed: 18th December 2023)
GDPR.eu ‘Differences between the UK and EU GDPR regulations’, GDPR.eu. Available at: https://www.gdpreu.org/differences-between-the-uk-and-eu-gdpr-regulations/ (Accessed: 18th December 2023)
Greenberg, E. (2023) ’10 Differences Between UK GDPR and EU GDPR’, Papaya Global Blog. Available at: https://www.papayaglobal.com/blog/10-differences-between-uk-gdpr-and-eu-gdpr/#:~:text=Data%20protection%20standards%3A%20while%20the,exemptions%20for%20certain%20public%20authorities. (Accessed: 18th December 2023)
GOV.UK (2018) ‘Data protection’, GOV.UK. Available at: https://www.gov.uk/data-protection (Accessed: 7th December 2023)
Komnenic, M. (2022) ‘EU Omnibus Directive Explained for Businesses and Consumers’, Termly. Available at: https://termly.io/resources/articles/eu-omnibus/ (Accessed: 12th December 2023)
Legat, O. (2022) ‘Omnibus Directive’, EY Law. Available at: https://www.ey.com/en_pl/law/omnibus-directive (Accessed: 12th December 2023)
Wolford, B. (2020) ‘What is GDPR?’, GDPR.eu. Available at: https://gdpr.eu/what-is-gdpr/ (Accessed: 7th December 2023)
Zalando ‘The EU Omnibus Pricing Directive and what it means for you’, Zalando Partner Portal. Available at: https://partnerportal.zalando.com/partners/s/article/The-EU-Omnibus-Pricing-Directive-and-what-it-means-for-you (Accessed: 12th December 2023)