A new provision of the Italian data protection law (Loyalty Cards, issued Feb. 24, 2005), is getting a workout. The Data Protection Authority fined a well-known supermarket chain €54,000 for not giving customers adequate information regarding use of personal data. The retailer issued loyalty cards—for shoppers to obtain discounts and rewards—and gathered customer names, email and cell phone numbers (personally identifiable information) and behavioral marketing information (spending habits and locations). Customer profiles were then evaluated and used to create targeted ad campaigns. The retailer didn’t ask customers for consent for all of these uses—a violation of the data protection law.
In Italy, if customer information is not used solely for operating the loyalty program, but for customer profiling and advertising, the consumer must be told and must give consent. While consent is not needed to carry out contract obligations needed to fulfill the loyalty reward program itself, collecting more information than needed for that purpose or using information for other purposes requires specific consent. Is this true elsewhere? In Europe? The United States? Canada? Latin America? Asia? New Zealand? Call me and find out, or read my bio.