In the context of the new Everyday Rewards programme, you sign away your privacy by entering login details online or using the card in store.
ComCom’s Australian counterpart, the Australian Competition and Consumer Commission (ACCC), conducted a review in 2019.
It found loyalty schemes were earning hundreds of millions of dollars a year from selling consumer information - such as selling access to digital marketing services, and consumer data for analysis and insights.
It also highlighted a ‘power imbalance’ between consumers and loyalty scheme operators thanks to hard-to-understand disclosures about how data is used and shared.
Devil’s in the details
For potential Everyday Rewards members, “the full Everyday Rewards Privacy Policy will become publicly available in the coming weeks, should you wish to know more details”, the Countdown website reads.
“To ensure you can earn points and redeem your vouchers at our partners, limited data must be shared with our partners.”
A Countdown/Woolworths spokesperson said the data will only be shared with those partners for the purposes of administering the programme. They, in turn, will only be allowed to use that data for the same purpose.
“We take the privacy of our customers seriously and their information is not sold to anyone.”
The company declined to give me a list of partners and an answer as to whether they sold the data.
Regardless, personalised advertising can be great in terms of ease, but what happens when data sharing is used to allegedly exploit and target vulnerable communities?
To compare, the US Federal Trade Commission alleged Weight Watchers’ children weight management subsidiary Kurbo violated the Children’s Online Privacy Protection Act by collecting information without parental consent last year.
What’s more, sharing the data increases the risk of hacking - lest we forget Air New Zealand’s Airpoints scheme saga in 2019, in which the possible passport details of 112,000 customers were exposed.
Olive, Countdown’s Virtual Assistant, couldn’t provide any further information on where the data goes other than recording my chat to assist me and for training purposes and pointing me to the Woolworths website, without a link.
And then I lost interest, forgot I needed washing powder, and became a statistic contributing to the ‘disorganised impulse-buying millennial’ key demographic.
A Woolworths spokesperson said it had refreshed its Privacy Policy and Onecard loyalty programme terms and conditions, to make it easier for customers to understand how their personal data may be used.
A million clicks later, I located Woolworths’ privacy centre. The policy says Woolworths may share your personal info internally, and to its service providers, such as website companies like Google or Facebook, market research companies, and companies that provide data matching.
Generally, Countdown’s privacy policy means the company can collect your name, address, phone number, age, and gender, and what, how, and when you buy from Countdown, video footage for security and safety purposes and your number plate if the store uses automatic number plate recognition.
The privacy refresh followed last year’s Commerce Commission’s market study into the grocery sector, which found loyalty programmes reduce price transparency, making it difficult for consumers to make informed purchasing choices.
A ComCom survey found 18 per cent of respondents didn’t sign up to a loyalty programme due to data collection concerns. Nearly 35 per cent said they had no understanding of how their data was used and 25 per cent had “little” understanding.
It raises the question - where’s the informed consent? And is there really consent if terms and conditions are difficult to find?
In the context of the internet, a 2019 study analysed the sign-in terms and conditions of 500 popular US websites. More than 99 per cent were deemed ‘unreadable’. Countdown’s policies are easy to read, but information is lacking around the use of said data by third parties.
Data sharing totally legal
The Privacy Commission website says signing up to loyalty programmes is a personal choice. The Privacy Act allows retailers and other businesses to use personal information for the purposes they originally collected that information for, as outlined in the terms and conditions.
The retailer or company operating the loyalty scheme should make clear in its terms and conditions what personal information is being collected, why it is being collected and how it may be used and disclosed, the website reads.
Under the Privacy Act, using the data for commercial activity only, making sure it’s secure and destroying it once the commercial activity is over is entirely legal. Essentially, if the commercial activity is described in the fine print, businesses can do whatever they like.
But should the onus be on customers to search for these vague terms and conditions rather than companies ditching loyalty schemes altogether?
A 2020 Privacy Commission survey found 75 per cent of respondents were most concerned about businesses sharing their personal information without their permission. Two-thirds wanted regulations to increase.
With technology outstripping legislation and companies with schemes like the Everyday Rewards programme increasingly turning from physical cards to digital they’re-tracking-our-every-move programmes, I’d argue it’s time for a Privacy Act refresh.
Sasha Borissenko is a freelance journalist who has reported extensively on the legal industry.