• Marketing
  • Privacy

Customer Loyalty, Privacy, and Data Governance


Customer loyalty programs are the backbone of many companies, but they come with a host of data privacy traps, particularly with regard to the new state regulations which have the collection and use of data to effectuate these programs squarely in their crosshairs.

For a discussion of loyalty program privacy risks and opportunities, Blueprint Data Strategy Director, Mark Milone, moderated a panel at the 2022 Summer Spokes Technology Conference (held June 22-23).

The Customer Loyalty, Privacy, and Data Governance panelists included Cooley Partner and Cyber Data Privacy Group Vice Chair, Dave Navetta; Bob Seiner, founder of KIK Consulting and Educational Services; and Global SVP Revenue of loyalty technology firm, Annex Cloud, Erin Raese.

Customer loyalty is a hot topic

A Forrester Stat: 89% of organizations are investing in personalization and loyalty is just a really great way to collect the data that you need and to build that relationship with your customer and to deliver personalization.

—Erin Raese, Annex Cloud

Customer loyalty is a much hotter topic now because organizations are looking to deliver more personalized experiences. Consumers want the businesses to know who they are, put their needs first, and to make their lives easier.

“I had a conversation with a grocer last week,” relates Raese, “who had several requirements: ‘Can you create a discount at point-of-sale? Can you create a discount by product? Can you do discounts by this…and by that…?

“Sure, but why? What about the customer experience? What kind of customer experience do you want to deliver?”

You probably have email addresses which is great – that allows you to give them the discounts they were looking for. But what if you knew that Mary was a vegetarian and a gourmet cook?

What kind of experience could you deliver to Mary?

—Erin Raese, Annex Cloud

“And what if you knew that Mary had a husband, who was on a keto diet and a daughter, who had peanut allergies,” continued Raese. “What kind of experience could you deliver then?”

“If you think about it, the grocer could serve up recipes that fit everybody’s dietary needs. Mary could come to their website. They could curate all the ingredients for all those different recipes, and Mary could go click, click, click…and put them in her shopping cart.”

Bumping up against privacy-related issues

“Here we start to bump into privacy laws which are very much in flux right now,” cautions Navetta.

The fundamental question here is – with the regulations as they are today and cookies starting to become less of a viable means to gather useful information– many marketers are starting to think of loyalty programs as another rich field for collecting data.

But, perhaps also, some of the goals of these programs are not loyalty at all but harvesting a lot of personal information for bigger picture revenue goals.

—Dave Navetta, Cooley

“We have to make sure we’re addressing that and balancing out the requirements around privacy laws.”

A primary role of a data governance program is to manage that balancing act,” says Seiner. “Personalization is all about that customer data. Important considerations include ‘do customers know what data you’re collecting about them and how you’re using that data?’ Data governance can play a role in all of those things.”

The role of trust

It starts in trust, and then it’s really the company’s obligation to ensure that they respect that trust and are good stewards of the person’s data… It’s everything. Everybody walks into that experience looking for trust.

—Erin Raese, Annex Cloud

“The basis of loyalty tends to be a two-way dialogue. A two-way value exchange,” proffers Raese.

“There are terms or conditions, and they should be laid out so the customer knows – or should know – what they’re getting themselves into when they join. That they are going to give data and in return getting personalized experiences, recognition, or rewards in exchange.”

But “when you start to use data outside the parameters of those expectations: to collect data…to sell to a third-party…that starts to erode trust,” submits Navetta. “For the privacy conscious, understanding how the data is going to be used and who it is going to be transferred to are important. But it is also reflected in what regulators and legislators are ultimately requiring.”

Is it just for loyalty or some other purpose?

You’re not going to be loyal to somebody unless you trust them. This requires that customers have confidence in knowing how you’re going to handle the data. Collecting only that data you’re going to use is good, but oftentimes other data is collected along the way.”

—Bob Seiner, KIK Consulting

“You need to be able to explain what you’re going to collect, how you’re going to use it…and you have to have a strategy for communicating that back to the customer, avers Seiner.”

But, as Milone points out, “We don’t know all of the uses of the data generated at the point of collection. It could easily become a new use that wasn’t contemplated when it was collected from the customer.

Where companies don’t have proper governance, we see that after the program has been running for some time, someone in marketing realizes how much data they have, how rich it is, and conceives of new ways to use the data.

And that’s when you get into legal trouble.

—Dave Navetta, Cooley

Selling, sharing, aggregating, and de-identifying data

“I think we’re going to start seeing companies gathering first-party data and zero-party data and wanting to supplement it with other data,” opines Navetta.

And that constitutes a sale of data under certain laws even though no money has been exchanged. This goes to transfers and under the CCPA, for example, you have to provide an opt-out.

In addition, the laws are starting to require purpose and use limitations as well, which goes to reasonable expectations of the consumer….and this is where transparency comes into play.

—Dave Navetta, Cooley

That said, “one way to get more flexibility is to normalize the data,” asserts Navetta. To aggregate or de-identify it so it’s no longer ‘personally identifiable,’ and consequently, no longer subject to these privacy laws.

“Do you lose some of the value? This is what you’re always struggling with: the richness in the personalization tends to go away once you strip out the identifying elements.”

Can there be too much transparency?

Hopefully you are using transparency to engender trust, but at what point does transparency become too transparent? You can articulate every conceivable use of the data…and inundate your customer with terms and conditions.

How do you advise a loyalty program to balance transparency with the information the customer actually needs to make a decision about joining a loyalty Program?

—Mark Milone, Blueprint

Loyalty programs, and the use of data around them is becoming a much bigger issue than it was,” states Navetta, particularly due to cookie deprecation.

“The tendency is to be overly broad because, in the U.S. especially, if you’re notifying customers of data uses, you can use the data as stated without much trouble. Now, this new generation of regulations is starting to put more pressure around use limitations and may require an opt-in if you’re going to use information beyond expected uses.”

I think we’re still going to see broad and maybe overly complex notices to cover all bases, but over time – and as regulators start to clamp down – more precise notices that satisfy legal requirements but also engender trust.

—Dave Navetta, Cooley

What customer data, exactly?

“We look at it in three buckets,” says Raese:

  1. The information that you give when you sign up for a program
  2. Tracking your behavior when you’re making purchases or different types of interactions. A lot of the programs today will incent you to interact with the brand is (e.g., hashtag in social media, review writing, and award redemption), and
  3. Progressive profiling. The attempt to get additional information through, for example, surveys about what customers enjoy.

In this context, it’s not necessarily the sensitivity of the data. It’s the big picture of the data. If you collect a lot of data, you start to learn a lot about people from a privacy perspective and that causes issues.

Regulators and legislators look at the aggregation of [PII], and the inferences and insights that companies can get as a result. There are potential privacy violations that arise in those instances.

—Dave Navetta, Cooley

“What we’re starting to see, is the laws around loyalty programs are making it more difficult for companies to be able to achieve what they want to achieve without having to jump through some compliance hoops.”

Balancing the value and risk of a loyalty program

“If you were going to stand up a cross-functional team to help deliver value from a customer loyalty perspective but mitigate the risks who do you think should be on that team,” asks Milone.

All the stakeholders in that data.

You don’t want to have a cast of thousands, but you want to make certain…the right people are involved at the right time for the right reason with the right data to make the right decision.

—Bob Seiner, KIK Consulting

Who has authority and accountability? The organization, not single individuals, explains Seiner. “A lot of organizations still use the term data owner because it’s been built into the language, but more organizations are starting to refer to these people as stewards of the data.”

“We’re seeing that for most of the organizations that are being successful with this, it is coming from the top and it’s throughout the organization,” seconds Raese.

Data governance is the execution and enforcement of authority over the management of data and data related assets. But how are you going to get to the point where you’re executing and enforcing authority over the data?

Start to involve stewardship, which is definitionally the formalization of accountability.

— Bob Seiner, KIK Consulting

Loyalty program best practices

  • If you don’t really need the information, don’t collect it
  • Respect the data and respect your customers
  • Be aware that loyalty programs are on the radar of regulators right now and they are looking to make examples
  • Be aware that the new privacy laws that are coming online surrounding this issue
  • Understand the roadblocks you need to overcome
  • Legal and audit departments are your friends! Work with them
  • Partner with data governance to be sure you’re doing all the things you need to
  • Be purposeful and intentional with data

Listen to the session audio