New Rules Of Engagement For Data Driven Rewards

Less may be more when it comes to using personal data to drive loyalty and rewards programmes. Just because companies can access the all-you-can-eat buffet of consumer information, it doesn’t mean they should.

It’s a conundrum which strikes at the heart of loyalty schemes. The more data gathered about customers and spending patterns, the better results a firm can expect, with their programmes doing their job to help drive customer acquisition and encourage certain behaviours. At the same time, as consumers realise the implications of their digital footprint, they become more appreciative of companies who are selective, respectful and transparent about the data they access.

This is not a new issue. In an influential 2007 paper, Customer Loyalty Programmes and Privacy Concerns, a team of German researchers found that while some customers were put off loyalty schemes because of privacy fears, those who opted in were actually “more concerned about their privacy than non-participants, which is an interesting, though counterintuitive result”.

Data privacy has been much in the news lately, due to a series of high-profile local data leaks and abuses. These include the well-known Facebook-Cambridge Analytica data breach, in which US politicians attempted to influence voter opinion by the data captured from Facebook by Cambridge Analytica, starting in 2014. According to the Information Regulator of SA, this scandal put the personal information of 60 000 South Africans at risk.

This year we’ve seen more than 900 000 records, including identity numbers, exposed by a data leak at the traffic fines website, ViewFines, as well as the recent leak of e-mail data from insurer Liberty Life. Security experts are generally in agreement that the public only knows about a tiny fraction of the data leaks that happen.

According to Symantec – the company behind Norton Internet Security Suite – loyalty schemes are a growing target for cyber criminals who are after personal details and access to lucrative reward wallets. This is a global trend, the firm says. Backing this up, consultancy firm Javelin Strategy and Research found that in the US, fraud against reward accounts rose dramatically in 2017, from 4 per cent of the total non-payment card fraud in 2016 to 11 per cent by the start of this year.

Loyalty not going anywhere

Businesses today have a fine line to walk with rewards programmes. The programmes themselves are now essentially table stakes – merely having one is no longer a differentiator. There are more than 100 programmes in South Africa; the average consumer already belongs to nine.

But just because South Africans are signing up for loyalty programmes doesn’t mean they’re engaging with them. According to the Eighty20 2018 Loyalty Programme Member Engagement Survey, the number one reason for consumers to disengage from a programme is that accumulating points or rewards was simply not worth the effort.

In other words, there wasn’t enough perceived value for the customer to engage with the programme. Clearly, it is now not enough to offer a rewards programme. Companies also need to fight for front-of-wallet status or, as programmes migrate onto smart phones, first-screen status.

Clever use of data allows businesses to target customers with products, services, offers and discounts that are relevant and valuable to them, not a one-size-fits-all demographic. At its most basic, this might involve knowing a shopper has a cat, not a dog, and then offering them deals on cat food, not a generic dog-food deal. This, in turn, drives engagement with the programme, resulting in even more insight and data.

“The better the value proposition, the more likely the customer is to engage with your loyalty programme and allow the collection of their data,” says Nerushka Bowan, emerging technology law specialist and founder of the LITT Institute.

More aware than ever

As well as major data breaches, publicity around the signing into law and partial enactment of the Protection of Private Information Act (POPI) in South Africa and the enactment of its European big brother, the General Data Protection Regulation (GDPR), has raised awareness around companies’ obligations and consumers’ rights when it comes to personal data.

But this assumption around customers being more cautious about who they share their data with isn’t being reflected in customer behaviour yet, at least according to the report. It says that consumers “appear to be almost too trusting” of rewards programmes. Many are happy to share their spending information without reading the data privacy policies, partially because this information is very often hidden in reams of hard-to-understand legal-speak.

This lack of awareness among consumers doesn’t mean companies should go on a data-feeding frenzy, even though their members demand highly personalised rewards. Bowan warns that the more data a company collects, the higher the risk of a breach.

Indeed, around the world, rewards programmes are being targeted by cybercriminals who steal and sell the rewards currency.

The EU’s GDPR is explicit about this: companies can only collect data for a specified purpose and must not use that data for any other purpose without the required consent. What does this mean for companies stuck between needing to use data to personalise and hone rewards programmes and their wider products and services, and increased obligations around data protection?

Ethical data

Bowan recommends that programmes needn’t be wary of data collection, but should ensure that what they do with the data is both legal and ethical. In terms of POPI and GDPR respectively, loyalty programmes are considered “responsible partners” and “data controllers” and have certain obligations when it comes to how they collect and use data.

“These steps are usually aimed at protecting the customer’s information – for example, by ensuring that there are adequate data security measures in place and that any breaches of information are brought to the attention of the Information Regulator and customers,” she says.

“Other obligations include informing customers of what will be done with the information collected – for example, who the information will be shared with and whether the information will be sent out of the country.”

Legally, a company is obliged to “ensure that there are proper mechanisms in place to get rid of data when it no longer requires it and to encrypt, ‘pseudonymise’ or anonymise data where appropriate. Companies may also receive requests from customers to access their data and need to have the proper processes in place to comply with those requests,” says Bowan.

“It’s worth bearing in mind that, as hefty as the fines under POPI and GDPR might be, this can be secondary to the loss of trust with customers.

“Often it is not the non-compliance with the law that has the largest impact, but the follow-on impact on a company’s brand and reputation,” she says.

Discernment and transparency are the watchwords here. “Transparent loyalty programmes use the information collected for the benefit of the customer and take steps to keep the information secure,” Bowan concludes. “They don’t sell it.”