Loyalty Programs and Data Protection - A checklist for program providers

As inflation soars, consumers are more likely than ever to join a loyalty program and are willing to pay if the program guarantees discounts and offers relevant benefits. Loyalty programs provide important new avenues for brand engagement, and also allow loyalty program providers to understand more about their customers, providing a potentially rich source of customer data.

So, interesting times for loyalty scheme providers. But given they involve the collection and processing of lots of customer data, UK GDPR is never far away. In this article, we summarise some of the data protection issues that loyalty program providers need to think about when running loyalty programs.

1. Be transparent about how you use loyalty scheme data - The UK GDPR requires loyalty scheme providers to be transparent about how their programs process customer data. So, offer your customers a clear and concise privacy notice when you collect their data. There are a number of things to include, but the main points include:

  • Who you are
  • Purposes for processing for the loyalty program
  • Lawful Basis
  • What rights the customers have

 2. Have a lawful basis for using loyalty scheme data - Loyalty scheme providers need to select a lawful basis under UK GDPR for the processing they do. People often think of consent as the most obvious basis, but others are available, such as legitimate business interests. If your program collects “special categories” of data (such as health or ethnicity of customer), you will need to select an extra condition on top of that (such as explicit consent).You need to document your lawful bases, and keep to them.

3. Take care when profiling your customers - Loyalty scheme providers might use customer data to build a profile of their likes and behaviours. Where they do this, they should ensure the data is accurate and up to date under UK GDPR. If the data isn't correct then any profile or decision based on the data will also be flawed. Scheme providers should also tread carefully if you are making automated decisions about their customers - there are strict rules for this, and they might need customers' explicit consent to do so....and don't forget. This article has covered the key issues that loyalty scheme providers should consider when processing their customers' data. It is not an exhaustive list. In addition to these challenges, scheme providers should take into account UK GDPR principles such as data security; purpose limitation; and storage periods for customer data. These are challenging times for retailers, but they also offer opportunities. Loyalty scheme providers who can balance commercial opportunity with good data governance will be the ones best placed to inspire customers and retain their trust (and loyalty).

To discuss anything further please contact Freeths' National Head of Retail, Philippa Dempster or our Head of Data, Luke Dixon.

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.

Get in touch

Contact us today

Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.


Get in touch

For general enquiries, please complete this form and we will direct your message to the most appropriate person.