Hong Kong personal data watchdog warns on consumer loyalty programmes
Many of the most popular schemes lack transparency, says report
Retailers love to offer membership and rewards programmes to lure and retain consumers but Hong Kong’s privacy chief on Monday warned that many shops fail to provide customers with transparency, choices and control over the use of personal data.
Releasing a report on personal data collection by customer loyalty and rewards programmes, Privacy Commissioner Stephen Wong Kai-yi called on retail firms to thoroughly explain to customers their privacy policies and practices, respect customers’ right to privacy and give them control over their own personal data.
Do-not-call register as law the best option to protect personal data in Hong Kong, privacy chief says
The report examined 30 customer loyalty and rewards programmes from six sectors - retail, hotel, catering, airline, cinema and petrol - in late May 2017. The programmes were picked due to their popularity in the local market and potential to collect substantial amounts of personal data from a large number of individuals.
It was found that most of the privacy policies of the programmes lacked transparency.
“Many privacy policies lacked clarity because broad and vague descriptions were used,” the report said, and that many firms used “our parent companies”, “any of our subsidiaries” and “business partners” as the classes of those they would share clients’ personal data with.
The report also noted that customers were unable to provide meaningful consent for data collection.
“The majority of the programmes obtained ‘bundled consent’ from customers during registration to use their data for multiple purposes. The customers usually did not have genuine choice,” it said.
“Customers could only take it or leave it ... Without genuine choice, there could not be meaningful consent.”
Wong also warned in the report that customers may feel aggrieved when they learned their data were used in ways they had not expected. “This would probably damage the reputation of the programme operators,” he said.
Customers were also unable to exercise control over their personal data in aspects of data deletion, sharing and profiling, the report said.
It was found that 22 programmes, or about 73 per cent, did not provide any information on how to delete clients’ personal data. About 86 per cent, or 26 programmes, did not mention a data retention period.
“Customers were usually not provided with the means to, for example, request for data deletion and to object to data sharing and profiling. The rise of the data broker industry casts further doubt on where the data will end up,” the report said.
Also, the report noted that most of the programmes tended to use client information for research, analytics and profiling but this may lead to excessive collection and amassment of personal data.
“By aggregating and analysing data from various sources, anonymous individuals may be re-identified, and intimate lives of individuals may be revealed,” it said.