Running a loyalty scheme? Article 6 of GDPR states:
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Note points 1 & 2. Your loyalty scheme T&C’s probably don’t cover all the ways you use their data and you probably don’t have a contract in place. Time for a review before Australian-type legislation affects you…:
The Australian Competition and Consumer Commission (ACCC) has recommended that consumer data protections under the Privacy Act need to be strengthened and a broader reform of Australia’s privacy laws is needed, after it identified several concerning practices around customer loyalty schemes in relation to consumer privacy.
In its Customer Loyalty Scheme draft report [PDF], the ACCC has highlighted how customer loyalty schemes — including frequent flyer, supermarket, and credit card operators — are not properly disclosing relevant information, providing sufficient transparency, or giving consumers control of how their collected data is used and shared.
The report said loyalty programs are selling insights from consumer data to other parties without consumer knowledge, sharing that data with unknown third parties, and are providing only a limited ability for consumers to opt-out of targeted advertising delivered by third parties on behalf of loyalty schemes.
At the same time, the report highlighted how customer loyalty schemes do not present terms, conditions, and privacy policies in a way that can be readily understood by consumers.
The consumer watchdog believes such practices have the potential to cause “widespread consumer detriment”.
“Most people think they are being rewarded for their loyalty with discounts or points, but in reality, some schemes are building up detailed profiles about consumers and selling those insights to other businesses. Selling insights and access to loyalty scheme members are becoming increasing sources of revenue,” ACCC chair Rod Sims said.