Loyalty cards and safeguards for consumers: guidelines applying to...
Loyalty cards and safeguards for consumers: guidelines applying to loyalty programmes - February 24, 2005 
[web n. 1109624]
[ doc. web n. 1103045]
LOYALTY CARDS AND SAFEGUARDS FOR CONSUMERS: GUIDELINES APPLYING TO LOYALTY PROGRAMMES
As issued by the Italian data protection Authority on February 24, 2005
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today in the presence of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary General,
Having considered the claims and reports submitted with regard to processing personal data that had been collected via loyalty cards,
Having found it necessary to set out measures that are both necessary and appropriate in order to bring the processing into line with the provisions in force (Section 154(1), letter c), of the personal data protection Code),
Having regard to the records that have been acquired further to the investigations that have been started as well as the public consultation already carried out,
Having regard to the considerations made by the Secretary General pursuant to Section 15 of the Garante´s Regulations no. 1/2000,
Acting on the report submitted by Prof. Gaetano Rasi,
1. Loyalty Programmes and Chain Retailers
The Garante has received claims and reports on the processing operations carried out in connection with the growing use of loyalty cards that are aimed at establishing durable relationships with customers for purposes of shopping and/or the provision of services.
The cardholders can enjoy some benefits based either on the issuance of the cards or on the type and/or amount of the expense and/or the requested services (e.g. discounted prices on some products, awarding of prizes or related bonuses, privileged treatment, additional services, credit facilities).
The provisions set forth herein apply generally to all types of loyalty card in the so-called chain retailing sector, irrespective of whether the cards are issued free of charge or not, on paper or electronic media, by POS or online, by using a person´s particulars or else an ID code, and by adding up points or not in proportion to the relevant expenses and/or services.
The scope of this phenomenon has expanded considerably to include not only the marketing of consumer goods, but also the provision of transport, crediting, telephony, publishing, leasing, and other services. The regulatory principles referred to herein with regard to chain retailers are of a general character and can already be applied to several industry sectors.
The Garante is addressing the issues for which it is competent, insofar as they are relevant to the processing of personal data; no assessment is made specifically of the requirements set out by laws and regulations in other respects – e.g. as regards Presidential Decree no. 430 of October 26, 2001 on competitions, prize lotteries, and games of chance.
Issuance of the cards – which is often based on filling in of both a subscription form and a questionnaire – and their use – which results into recording the purchase of goods and services – entail the processing of personal data concerning customers and – at times – the latters´ family members.
As well as identification data and contact details, including e-mail addresses, other information is often collected with regard to customers and their family members, and such information is not required with a view to conferring the benefits afforded by the cards – e.g. education, job title, interests, habits, preferences, shopping habits, etc. .
The said information is often processed in bulk for different purposes, which therefore would require different mechanisms to be applied; it is not infrequent for cardholders to be provided with generic information notices in which the processing operations are described without drawing the appropriate distinctions.
The analysis of consumption habits and choices entails risks to data subjects even though the data are not communicated to third parties.
Consumers, their families and other individuals specified by the latter are monitored in detail as for their conduct in exchange for loyalty-related benefits; they are profiled also within specific centralised and/or local databases and compared with other customers without actually being aware thereof, since no adequate information has been provided to them.
Individual and group-related profiles – so-called clusters, i.e. customer groups showing homogeneous features – as well as consumption propensity indexes are also developed without affording data subjects the opportunity for consenting thereto on the basis of unambiguous, specific information. Under certain circumstances, purchasing goods and services may actually give rise to the collection of sensitive data, which are not allowed to be processed, as a rule, for the purposes in question.
This is compounded further by the direct contacts that may be established with customers either by card issuers or third parties in view of marketing operations, commercial communications and/or advertising, direct selling, or market surveys.
In the light of the growing frequency of these activities as well as in order to safeguard data subjects, the Garante hereby provides that data controllers should take some measures that are necessary and/or appropriate in order to bring processing operations into line with the legislation in force concerning personal data protection (see Section 154(1), letter c), of the Code).
2. Data Minimisation and Proportionality
The provisions below are set forth by having regard to the distinction to be drawn as for the three main purposes referred to above – i.e. loyalty programs as such, implemented by awarding the benefits mentioned heretofore, profiling based on the analysis of consumption habits and choices, and direct marketing –, which makes it necessary to envisage different processing mechanisms with particular regard to data categories and retention.
Processing shall have to be performed by complying with data minimisation, lawfulness, fairness, data quality, and proportionality principles (see Sections 3 and 11 of the Code).
- pursuant to the data minimisation principle (Section 3 of the Code), information systems and software shall have to be configured from the start in such a way as to minimise use of information relating to identifiable customers. Personal data related to customers may not be processed if the purposes of the processing – with particular regard to profiling activities – can be achieved by means of either anonymised data or indirectly identifying data;
- pursuant to the proportionality principle (Section 11(1), letter d), of the Code), all personal data and the relevant processing mechanisms shall have to be relevant and not excessive with regard to the purposes to be achieved.
As pointed out above, sensitive data may not be processed, as a rule, for any of the purposes in question (see Section 4(1), letter d), of the Code), subject to exceptional circumstances whereby processing the data is actually indispensable in connection with the specific goods and/or services requested and it has been authorised by the Garante as well as consented to in writing by the data subject. This also applies to market surveys, opinion polls and other sample-based surveys (see the Garante´s general authorisation no. 5/2004 as published in the Official Journal no. 190 of August 14, 2004).
The mechanisms to implement the above principles in respect of the individual purposes are set forth hereinafter.
3. Implementing Loyalty Programs As Such
Exclusively such data as are necessary to award the benefits related to use of the card may be processed.
This applies to
- the data that are directly related to identification of a cardholder, such as census register data;
- any data related to the overall amount of expenditure, i.e. excluding detailed references to the individual products, insofar as it is actually necessary to process – in particular, to retain – them in order to award the aforementioned benefits, for no longer than such processing is absolutely necessary. In principle, retention of detailed data concerning the specific categories of purchased goods and services, or else the benefits awarded such as points, prizes, bonuses, etc., is not necessary, especially in view of implementing a loyalty program as such. In the specific cases in which said retention is lawful, the proportionality principle shall have to be complied with.
4. Profiling Customers
Individuals and groups can be profiled, in several situations, by only using anonymous and/or non-identifying data – e.g. a digital code – without establishing any relationship between the data allowing identification of data subjects and the analytical information related to their personal sphere – such as their tastes, preferences, habits, needs, and consumption choices. If the relevant purpose can be achieved in this manner – especially as regards profiling customers by homogenous categories –, it is unlawful to use, still less to retain, personal and/or identifying data.
In the remaining cases, the information to be acquired whether upon the customer´s subscription or further to the registration of additional goods and/or services as well as the processing mechanisms applied thereto must be relevant and not excessive in respect of the type of marketed goods and/or the services provided.
The proportionality principle shall have to be abided by as also related to the planned recording of the information in databases, especially centralised ones. Additionally, the latter databases shall not have to be interconnected and/or used for matching and comparing data with those used for implementing fidelity programs as such.
As for sensitive data, it should be recalled further that it is unlawful to use data suitable for disclosing health and sex life with a view to profiling activities (see the Garante´s general authorisations no. 2/2004 and 5/2004 as published in the Official Journal no. 190 of August 14, 2004).
5. Direct Marketing
Relevant, non-excessive data may be collected and used with a view to sending advertising materials – also via specialised literature –, commercial communications, and direct selling. In principle, this only applies to the data that are directly related to identification of either the cardholder or his/her family members, or else of individuals specified by the cardholder. Use of personal data, if any, resulting from profiling activities shall be the subject of a separate consent declaration by the entities concerned.
6. Information to Data Subjects
Customers must be provided with unambiguous, complete information before their data are disclosed and the card is issued, with a view to enabling fully informed adhesion to the proposed initiatives.
In accordance with the fairness principle (see Section 11(1), letter a), of the Code), it shall not be permitted to pursue a line of conduct that is liable to affect a customer´s free, informed decision to subscribe to a "loyalty programme".
In carrying out the operations aimed at issuing a card, one should not press customers unfairly to subscribe to a programme without letting them have the explanations and time required to be informed in advance and consent thereto knowingly, in particular as for profiling and/or marketing activities – which might be the case if, for instance, customers were urged to subscribe whilst queuing at checkout, without being able to take stock of an advance information notice.
The information may be worded in a concise, colloquial style providing it is unambiguous and clear-cut; it must contain all the items required under the Code (Section 13(1) ).
It shall not be allowed to refer unspecifically to operating regulations that are not attached as for the relevant sections. If the information notice is contained in a form, it must be adequately highlighted and placed in its entirety in a separate box so as to be easily identifiable compared with other clauses of the operating regulations that are reproduced either underneath or beside it.
In particular, the features of the profiling and/or marketing activities, if any, must be clearly and specifically highlighted as well as the intention of transferring the data to specific third parties for purposes to be set out in detail.
It should also be specified unambiguously that providing one´s data and consent for the above purposes is a free option compared with the standard activities related to the loyalty programme as such.
7. Subscribing to a "Loyalty Programme" and Consenting to the Processing
As a rule, general terms of contract set forth by the data controller – who is usually the card issuer – must be subscribed to in order to obtain a fidelity card and benefit from the related advantages.
Since processing of the data aimed at implementing the loyalty programme as such is "necessary for the performance of obligations resulting from a contract to which the data subject is a party", it is inappropriate in this case to request the data subject´s consent to the processing (see Section 24(1), letter b), of the Code).
Conversely, any other purpose of the processing that entails identifiability of data subjects – profiling and market surveys, or marketing activities – requires the data subjects´ specific, informed consent as given separately for each purpose (see Section 23 of the Code). Consent must be at least documented in writing by the data controller, or else provided in writing by the data subject if sensitive data are involved.
Acceptance in writing of the clauses contained in the operating regulations must be kept separate from the wording used to gather the two types of consent referred to above. Subscription to the loyalty programme must not be made conditional upon the provision of said consent.
Therefore, it shall be unlawful to gather a general consent based on a generic statement, by also referring to situations in which consent is unnecessary and/or disregarding the specific purposes to be achieved.
As for some types of communication via e-mail, facsimile, automated calling systems, and MMS- or SMS-messages, the need for obtaining the data subject´s consent results also from ad-hoc provisions applying to unsolicited communications and/or distance selling; said provisions actually envisage specific mechanisms in respect of the offer of similar services via e-mail (see Section 130 of the Code, and Section 10 of legislative decree no. 185/1999). A copy of the documents certifying provision of an information notice as well as the consent given, if any, should be made available to the data subject in order for the latter to verify and/or modify his/her decisions at any time.
8. Retention Period
In pursuance of the aforementioned proportionality principle, data controllers shall be required to specify the maximum retention period of the data as for both centralised and local databases.
Said specification shall have to be performed after assessing the possibility of collecting and retaining the data for the time permitted in respect of each of the above purposes, by having also regard to supervening decisions made by the data subjects.
The principle to be abided by is that any personal data that does not need to be retained for the purposes for which it has been processed must be either erased or anonymised (see Section 11(1), letter e), of the Code).
At all events, the detailed data on the items purchased by identifiable customers may be retained for profiling or marketing purposes for no longer than twelve or twenty-four months, respectively, as of their storage, subject to their being actually anonymised in such a way as to prevent data subjects from being identified also indirectly and/or via interconnections with other databases.
If a card is withdrawn, or disabled due to non-use throughout a given time span, if it expires or is returned, it shall be necessary to set forth the retention period of the personal data for exclusively administrative purposes – i.e. except for profiling and/or marketing purposes; such period may not be longer than a quarter subject to specific legal obligations applying to retention of accounting records. These specifications must be contained in the information notice; appropriate mechanisms must also be available to automatically erase the data as also related to third party recipients, if any – which applies especially to profiling and/or marketing activities.
9. Notification of the Processing and Security Measures
In addition to the provisions set out herein, the obligations imposed by the Code on data controllers shall have to be abided by.
This applies, in particular, to
a) the obligation to notify the Garante of processing operations carried out with the help of electronic means in order to profile consumers and/or analyse their shopping habits and choices (Section 37(1), letter d), of the Code);
b) the obligations concerning adoption of (minimum) security measures as per Sections 31-35 and Annex B of the Code;
c) the obligation to specify the entities that are authorised to carry out processing operations in their capacity as either persons in charge of the processing or data processors, further to the tasks committed to them and/or the instructions received (Sections 29 and 30 of the Code);
d) the obligation for data controllers to take such measures as are necessary to facilitate exercise of data subjects´ rights and expedite provision of the relevant responses (see Section 10(1) of the Code), with particular regard to the information to be specifically made available if explanations are sought in respect of purposes and mechanisms of the processing (see Section 7(2), letter b), of the Code) and/or the processing is objected to.
Within this framework, it shall be necessary
1. for the data processed in view of profiling activities and/or market surveys to be retained as appropriate in order to limit circulation of the data to what is absolutely indispensable, by restricting the scope of the staff authorised to access the information in terms of both their qualifications and number;
2. to rule out use of systems and programmes that allow – in cases where this is not permitted – the choices, behaviour, and profiles related to identifiable data subjects to be systematically traced without being the subject of prior checking by this Authority pursuant to Section 17 of the Code;
3. for the safeguards referred to above in respect of data communication and retention, as well as concerning transparency in the information provided on the purposes and the entities striving to achieve said purposes, not to be voided by appointing external entities as data processors; and
4. to provide data subjects with specific contact details including an e-mail address, also in the information notices, in order to facilitate exercise of their rights.
10. Communication to the Garante
Pursuant to and for the purposes of Sections 157, 164, and 168 of the Code, the data controllers mentioned in the files of cases currently pending before the Garante are hereby urged to attest, by no later than May 15, 2005, that the processing operations performed by them are compliant with the provisions set forth herein, and to provide any and all information that may be helpful in this connection by also enclosing the relevant documents.
BASED ON THE ABOVE PREMISES
orders the controllers of processing operations falling within the scope of this provision – pursuant to Section 154(1), letter c), of the Code – to take the measures referred to therein that are necessary and appropriate in order to bring their processing operations into line with the legislation in force.
Done at Rome, this 24th day of February 2005.
THE SECRETARY GENERAL