The Swedish County Administrative Court recently considered what sort of information should be provided to consumers, and more specifically, loyalty cardholders, regarding the collection and processing of personal data. In three different judgments, the court upheld decisions by the Swedish personal data authority, the Data Inspection Board (the “DIB”), stating that information made available to loyalty cardholders should be improved.
Many retailers offer loyalty cards, which allow the cardholder’s purchases to be recorded in detail, whilst the cardholders obtain discounts, special offers and similar benefits in exchange. There is, however, a concern that the data collected covers many people – the largest loyalty card databases in Sweden contain the details of several million cardholders – and that the data is used not only to determine discounts but also to create customer marketing profiles. These profiles can be used to send direct marketing materials to cardholders based on their consumption habits. Since purchase-related information may give an insight into a consumer’s lifestyle and interests, such information is generally seen as potentially sensitive and likely to undermine personal privacy.
For these reasons, in 2005 the DIB investigated the use of loyalty cards which resulted in a report (No. 2005:2) and several supervisory decisions, including the three decisions of the DIB which have now been upheld by the County Administrative Court. These three decisions concerned the retailers, Intersport (a sporting goods chain), JC (a clothing store for young people) and OK-Q8 (a petrol station chain). The DIB investigation showed that every time a cardholder made a purchase, the retailers would gather information about the type of goods purchased, their price, the time and location of the purchase and the loyalty card number. The subsequent processing of this personal data was based on consent given by cardholders at the time of their registration for a loyalty card. However, the detail provided to the cardholders about the types of personal data processed and the purpose of the data processing varied. For example, Intersport only informed its cardholders that it would collect and store “receipt-related information” as part of its data processing. Intersport and JC stated that the purpose of data processing was customer profiling, while OK-Q8 gave no clear explanation as to why detailed purchasing information was collected and stored. In addition, purchasing data was retained for periods of 3 years to more than 10 years.
In its decisions the DIB concluded that purchasing data may be recorded to create customer profiles, provided the cardholders have been informed about how their personal data is being used. If the explanation is insufficient, the consent to processing will be invalid and any processing unlawful. The DIB found that all three of the retailers had failed to provide cardholders with sufficient information about (i) which personal data was processed and (ii) for what purposes such personal data was processed. The DIB ruled that in order for any consent to be valid, in addition to information about (i) and (ii), clear information regarding how long the personal data would be retained, the cardholder’s right to decline direct marketing materials and the right to review and amend personal data should be provided. The DIB ordered the retailers to provide new cardholders with better initial information and current cardholders with additional information; or, alternatively, to cease their data processing activities.
Regarding retention, the DIB stated that data relating to purchases should not be kept for longer than necessary and it doubted that information about goods purchased needed to be retained for more than a year. However, the DIB noted that other purchase-related data, such as name, address and loyalty points collected, could be retained for as long as the customer kept his or her loyalty card and that discounts or rewards could still be claimed.
On appeal, the County Administrative Court upheld the DIB’s decision. The court concluded that the information provided by the retailers had been insufficient, both with regard to what personal data was being processed and the purposes for which such data was being processed. The court therefore held that the DIB’s order to the retailers to provide additional information or to stop processing had been legally justified.
These three judgments suggest that the Swedish DIB has been successful in its attempts to supervise the retail trade’s use of loyalty cards, which are often used as a means of creating customer profiles for direct marketing purposes. Although the DIB found that the relevant companies had processed personal data unlawfully, the order given by the DIB was imposed without a fine. The direct impact on the retail trade is therefore hard to assess and could possibly be quite modest. However, the DIB’s supervisory measures are likely to raise consumer awareness of customer profiling issues, so that questions such as “What data about my consumption pattern will be stored?” and “For what purposes will such data be used?” are raised when registering for a loyalty card. Loyal customers deserve clear information about how data relating to their personal life is used: loyalty should be a two-way street.