Italian DPA issues guidance on the use of fidelity cards

28 April 2005

Debora Stella

Fidelity cards, also known as loyalty cards, are increasingly being used by customers interested in taking advantage of the benefits offered (such as discounts, bonuses or premiums, priorities, additional services or payment facilities ) by goods and service providers (supermarkets, shopkeepers, and other promoters of loyalty programmes).

Often, such marketing tools are also being used to profile the user’s preferences for the purpose of direct marketing. In fact, fidelity cards usually provide the issuer with complete information on the identity of the holder, as well as on his/her preferences. Such information may contain sensitive data, e.g. personal data relating to the health of the card holder, or his/her political or religious beliefs.

Considering that the use of fidelity cards could raise serious privacy violations, on March 2005, the Italian data protection authority (the “Authority”) issued guidance on the use of data related to fidelity cards. The major rules may be summarised as follows:

  • Notification: according to the general legislation on data protection, the processing of data by electronic means for profiling purposes is subject to prior notification to the Authority.
  • Notice: according to the new guidance, before collecting the customer’s data, the card issuer must provide the applicant with a clear and complete notice of the processing of their data. The notice must be clearly positioned on the application form and must be kept separate from the terms and conditions of the loyalty programme. In addition, both the provision of the notice and the actual collection of the data must be carried out in a fair manner. It is, therefore, unlawful, for example, to pressurise the applicant into completing the form when he/she is at the point of purchase where he/she may be unable to carefully read the information on the processing of data.
  • Necessity of the data: the collection of data must be restricted only to the data actually necessary to grant the promised benefits. For instance, no details on the purchased products are allowed unless such data is strictly essential to the loyalty purpose of the card, e.g. the collection of details is allowed when specific benefits are granted if certain products/services are purchased. No sensitive data may be collected, or otherwise used, for profiling purposes.
  • Joining the loyalty programme: the permission to enter the loyalty programme cannot be granted under the condition that the applicant consents to his/her profiling and/or to the receiving of direct marketing proposals. The applicant must be offered the possibility to refuse to share his/her data for such additional purposes (profiling and direct marketing), without being prejudiced when applying to join the loyalty programme.
  • Specific consent: both the processing of data for the purpose of profiling and for the purpose of direct marketing each requires the specific consent of the applicant. If the applicant refrains from giving such specific consent, his/her data can only be used for loyalty purposes.
  • Databases: databases storing personal data for profiling purposes cannot be interconnected, intersected or otherwise used for comparison with other customers’ data if the data has been collected for loyalty purposes.
  • Storage of data: save for the case where the data has been anonymised (such as where it can be ensured that it will not be possible, neither indirectly or by interconnection with other data, to identify the person to which such data refers) the time limit for storing data for the purpose of profiling is 12 months from the date of collection of data and 24 months in the case of collecting data for the purpose of direct marketing. Should the card issuer wish to store data for longer periods, he will have to submit a request to the Authority.

In light of the Authority’s new guidance, promoters of loyalty programmes, as well as companies providing profiling and marketing services, will have to invest both time and money to ensure that they really are compliant.