Skip to content   Skip to footer navigation 

What are loyalty schemes like Flybuys and Everyday Rewards doing with your data?

How the data you hand over at the checkout can be shared and sold to businesses you've never dealt with.

using a loyalty card instore data
Last updated: 20 December 2021


Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

Need to know

  • New research finds nine in 10 Australians are signed up to loyalty programs, with supermarket schemes the most popular
  • Yet fewer than one in 10 always read the privacy policy and almost a quarter have never read one at all 
  • CHOICE is concerned these programs collect and share data well beyond consumer expectations, and is calling on the government to make urgent reforms to restrict unfair uses of consumer data  

Loyalty programs are everywhere these days – there's hardly a purchase you make, whether it's online or instore, that doesn't have some kind of customer reward scheme. 

And Australians have signed up to these schemes in droves. A recent CHOICE survey found that nine in 10 people belong to at least one loyalty program. Supermarket schemes are the most popular by far, with 85% in one of these programs, while just under half are in an airline program and around a third are in a department store or beauty/cosmetic store scheme. 

A recent CHOICE survey found that nine in 10 people belong to at least one loyalty program

The premise seems simple enough – just give a phone number or email address and you're in the club and ready to reap the rewards.

But you may not realise that you're handing over access to a whole lot of information about yourself and your household.

Loyalty cards – what's in it for consumers?

The appeal is simple: earn rewards or points to redeem products, gain discounts on purchases, and access special offers, pre-sale invitations or other member exclusives. 

There are even some retailers, such as Decathlon, that call themselves 'membership stores', where you must provide personal information like an email just to buy things in their stores.

What's in it for retailers?

Brands and retailers love loyalty schemes because it gives them a direct link for marketing to their customers as well as valuable personal information, including a customer's shopping activity and more. 

As digital transactions have grown, particularly with the pandemic driving many people to online shopping, the scope of digital information that can be collected has also grown substantially.

For retailers, loyalty schemes have two main purposes: 

  • to attract new customers 
  • to retain existing customers with offers that are linked to purchases.

Some retailers (especially larger rewards programs) also earn significant revenue from trading the data collected from loyalty schemes.

Data goldmine

Essentially these programs create something of a data goldmine, enabling retailers to collect valuable and highly specific data about their customers to develop consumer profiles, which they can use to target customers with tailored offers. These details may also be shared with or sold to other businesses to deepen these profiles. 

Loyalty programs share data well beyond consumer expectations, for instance, supermarket rewards programs sharing data with their insurance businesses

CHOICE consumer data advocate Kate Bower

Some loyalty schemes may also use this data to deliver targeted, personalised advertising to their own customers on behalf of other businesses.

Significant concerns

CHOICE is concerned about the aggregation of consumer data and profiling that can be used for manipulative marketing practices and personalised pricing (charging different prices to different people). 

"The programs share data well beyond consumer expectations, for instance, supermarket rewards programs sharing data and insights with their insurance businesses," says CHOICE consumer data advocate Kate Bower.

What data is being collected?

Loyalty schemes are supposed to be a two-way arrangement, what's known as a 'value exchange' in marketing speak, where you, the consumer, hand over some of your information in exchange for discounts or special offers. 

Yet if it were that simple, the Australian Competition and Consumer Commission (ACCC) would not have been compelled to scrutinise the schemes, examining data collection practices and whether consumer information and benefits are sufficient.

First- and third-party data

For brands and retailers, loyalty programs are about a lot more than rewarding repeat purchases – they let these businesses collect valuable consumer data, known in the industry as 'first-party data'.

First-party data is provided by the consumer directly and can include name, email address, phone number, address, birth date and so on, provided passively through their use of apps and platforms via peoples devices and third-party websites. This forms the basis of customer profiles that are then enriched with additional data, or 'third-party data', which is collected from external data brokers and data-sharing platforms.

If you shop at Woolworths with your Everyday Rewards card, Jimmy Brings (previously owned by Woolworths) knows all the same personal information

Everyday Rewards, backed by Woolworths and with a host of partners, collects all this basic personal information as well as details on views and clicks on websites, apps and advertisements, drivers licence details if used for verification, details on family members linked in the Rewards app, feedback, competition and reviews details and mobile device details (including model and operating system) and even location data. 

Coles has the Flybuys loyalty program that extends to other retailers including Bunnings, Target and Kmart. It collects much the same information as Woolworths and also shares that information with participating retailers and provides de-identified data to third-party advertisers for targeted advertising on their platforms.

These types of third-party partnerships mean that if you shop at Woolworths with your Everyday Rewards card, Jimmy Brings (previously owned by Woolworths) knows all the same personal information about you that Woolies does, even if you've never used the alcohol delivery service. Likewise, if you use your Flybuys card at Coles, Bunnings will have access to the same information – even if you only ever shop at your local, independent hardware store.

It's not too much of a stretch to say that these days data is the lifeblood of business in general and marketing in particular. 

What are loyalty schemes doing with your data?

In a nutshell, they are making money with your data. 

By combining data from multiple sources, brands can generate insights about consumers for targeted advertising and personalised marketing, often using artificial intelligence. 

Not only can they create more enticing offers, but they can sell those insights to third parties such as data brokers. 

But some brands don’t even need to sell your data to profit from it – they have entire businesses devoted to exploiting your consumer data for profit, such as WooliesX and the Woolworths majority-owned data broking business Quantium. 

Remember, this all started with your personal information shared for the promise of discounts or special offers. 

using loyalty card program online

Loyalty programs collect your data when you shop online and in store.

What are data brokers?

Like the name suggests, data brokers are companies that deal in personal information and consumer data, holding vast troves of information on billions of people. They've even been described as a threat to democracy because of the extent of data that can be shared and sold, all without adequate protections from privacy laws.

Some of the big names in data-broking include Axciom, Datalogix (now owned by Oracle), Epsilon, Quantium (which Woolworths has a 75% stake in) and CoreLogic, although there are many more. 

How do they get your information?

Data brokers can collect and compile information from a variety of sources, such as:

  • browsing activity, including searches, websites and online apps and forms
  • public records, including licenses, birth certificates, records and census data
  • commercial sources, such as credit card transactions, loyalty programs and so on
  • personal information you provide to a business that has your consent to share.

Data brokers hold thousands of attributes on billions of people, gained by scraping the web and buying and collecting information from a multitude of sources. Some 1400 loyalty programs globally compile and sell personal information, according to a 2019 WebFX report.  

These vast data sources aren't always used for benign marketing activities. Data linked to browser cookies, for example, can be used for personalised pricing on certain websites, like airlines and even Amazon, and you may be none the wiser. Even political parties can pay to access databases (and they aren't covered by the Spam Act). And shopping and credit card data can flow through to your credit rating, potentially affecting loan and credit approvals. 

Using this data in digital profiles for decision-making, as well as applying algorithms and AI, can create or reinforce existing biases, create inequalities in opportunities and lead to digital discrimination, all without people fully appreciating the pervasive nature of digital data collection and profiling. 

Data can be collected with or without a loyalty card

To understand just how far the data collection can extend, consider that Flybuys may track purchasing behaviour and transaction activities of loyalty scheme members when they shop at Coles, even if they don't scan their loyalty card, because they link payment card details to the member profile.

The same goes for Woolworths' Rewards scheme, which links payment data with profiles.

CHOICE believes that even despite disclosures in terms and conditions or privacy policies, consumers probably don't realise their data is being collected and used by supermarkets even when they don't scan their loyalty cards. 

We recommend that loyalty schemes end the practice of automatically linking payment card information to loyalty scheme profiles, arguing that decreasing privacy can harm consumer welfare and increased profiling risks discrimination and exclusion, ultimately lowering consumer trust.

Increased risk of consumer harm

If you find that scenario of widespread data collection disturbing, you're not alone. Many consumers report being concerned about data sharing between unknown third parties, targeted advertising and whether their data is being used responsibly and safely. The lack of transparency from loyalty programs leaves consumers vulnerable to harms, including personalised pricing and biased automated decision making that unfairly restricts or excludes people from products and services. 

We recommend that loyalty schemes end the practice of automatically linking payment card information to loyalty scheme profiles

As the ACCC found in its 2019 report into loyalty schemes, people want more transparency and control over the way their data is used as well as better data practices, legislative protection and greater individual rights over their personal information. The regulator has called for broad changes to privacy and consumer laws and encourages consumers to lodge concerns with them. 

"The ACCC will consider consumer reports about practices of concern, taking into account the principles and priorities in its compliance and enforcement policy before deciding whether enforcement action will be required to effect broader change," a spokesperson tells CHOICE.

looking at terms and conditions on phone

Many consumers are concerned that their data is being shared with unknown third parties.

Can I control what happens with my data?

Realistically, very few people have the time, ability or inclination to read the fine print in a loyalty program's privacy policy, particularly when it's an on-the-spot sign-up process. 

According to our survey, fewer than 1 in 10 people (9%) who have joined a loyalty scheme always read the privacy policy and almost a quarter have never read one at all. But this shouldn't give brands complete freedom with customer data. And it shouldn't excuse the complete lack of transparency for consumers about what happens to loyalty scheme data, particularly about who their data is sold to. 

While Australians might be willing to sign up to a loyalty scheme, they aren't clearly told about the extent of personal information that could be traded. 40% of people weren't aware loyalty schemes could sell their data to data brokers, and roughly the same number (41%) didn't realise it could be used to make decisions about them, including their credit worthiness.

We also found that the areas where people have the least awareness are actually the areas they are most concerned about, with 70% concerned about their data being sold to data brokers and 62% concerned about schemes using this data to make decisions about them.

CHOICE calls for reform to stop unfair and non-transparent use of data 

CHOICE is concerned that companies are collecting and using data beyond what is needed to deliver rewards to customers. We believe that the sharing and selling of data with data brokers is exploiting our data for profit and is well beyond the reasonable expectations of consumers. What's more, some ways businesses can use this data can cause serious harm. For example, by targeting groups of customers with higher personalised prices. 

We believe that the current privacy laws are inadequate to protect consumers from secondary or tertiary use of their data. Once consumer data has been passed or sold to a third party, consumers have limited transparency or control over their information. 

CHOICE calls on the government to review data use beyond what is needed for the provision of products and services

CHOICE consumer data advocate Kate Bower

"CHOICE calls on the government to review data use beyond what is needed for the provision of products and services and whether the privacy act is strong enough to protect consumers and ensure they have adequate control of their data," says Bower.

The question about being able to manage your data goes to the appropriateness of the existing privacy laws. As they stand, they're no longer adequate to cover the extent of personal data collection and processing.

Review underway 

There are moves afoot to review the privacy laws, with the Attorney-General currently undertaking a review. Some of the elements to be considered are whether people should have the direct ability to enforce legal privacy obligations, and whether the definition of personal information should be expanded to include online identifiers and technical data. 

Right now people can only lodge complaints with the Office of the Australian Information Commissioner (OAIC), but the review is considering whether there needs to be a provision for people to go to court and seek compensation for unlawful privacy breaches.

Consumers should have simple, transparent and easy to understand privacy protections from businesses. However, since data collected in loyalty programs is used for such wide and variable reasons, it's unreasonable to expect people to be able to give informed consent.

"CHOICE calls on the government to ensure these protections are in the revised Privacy Act," says Bower.

"We welcome increased penalties for businesses that breach consumers' trust by exploiting their data for profits."

Our survey

CHOICE surveyed 1045 Australians between 15 and 29 September, 2021. 

The data has been weighted to make sure it is representative of the Australian population according to the 2016 ABS Census data on age, state, sex, household income and education.

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.

Stock images: Getty, unless otherwise stated.