On 30 January 2024, the Competition Market Authority announced it is starting a review of a popular strategy deployed particularly by supermarkets, with the rise in retailers offering cheaper prices to loyalty members only. There has also been scrutiny in the news of retailers who offer member-only sales and discounts to consumers who have provided their data so that the retailer can understand spending habits. A recent GlobalData survey highlighted that almost 40% of consumers surveyed would prefer not to use loyalty schemes as they’re not comfortable sharing their data with retailers and are questioning the legitimacy of these offerings from a data protection perspective.         

What are the key steps retailers can take to maximise the benefit of membership schemes whilst protecting personal data?       

Identify and document the correct lawful basis for processing 

• Are you using profiling as part of your business strategy? You may be able to use legitimate interests as your lawful basis for profiling. However, to ensure you’re appropriately balancing your business interests with the interests of your consumers, conducting a legitimate interest assessment is crucial.  Remember to always give consumers the opportunity to opt-out of profiling.    
• Most forms of direct electronic marketing require carefully curated consent wording. Strict requirements apply for obtaining valid consent and there’s a high bar to be met. For example, avoid directly tying membership access to the marketing consent. Importantly, you should clearly describe what you’re asking a consumer to consent to (without pre-ticking any boxes!).  
• If relying on personal data gathered through cookies or similar technologies, you should confirm whether your consent is valid and be aware of the recent European Data Protection Board guidance threatening to change how pixels are treated in the EU. When reviewing your website, confirm and highlight that there’s a clear option to reject cookies. This option shouldn’t simply lead to the website closing. And avoid having a banner with “accept” in bold and “reject” hidden under a different term like “settings” or “more options”, as this isn’t considered to meet the standard of valid consent.  

Be transparent to ‘earn points’ and build trust with consumers  

• Clearly describe the data processing you're performing. Especially where you’re processing personal data in a way that people might not necessarily expect. Invisible processing is heavily scrutinised by regulators and should be avoided. It’s better to draw explicit attention to higher risk processing by mentioning it at the start of your privacy policy or in the user journey.  
• If you are processing personal data for analytical purposes or collaborating with social media companies for targeted advertising, it’s essential to clearly disclose that in your privacy policy.  
• Helpfully, the Information Commissioner’s Office (ICO) recently launched on its website a toolkit for organisations considering using data analytics, providing useful reference for retailers considering AI to analyse personal data gathered through retailer memberships.
• Remember, when making discount price claims to your loyalty scheme members, advertising rules still apply – be sure that the loyalty pricing doesn’t mislead shoppers, that promotions are genuine and that you are making the membership accessible to all!