Incognito — December 2022: Loyalty Programs Exploit Your Data

Welcome to the December 2022 issue of Incognito, a monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month:

• Loyalty programs. Who do loyalty schemes really benefit—you or the retailer? 
• Recommended reads, including “Apple Tracks Users Without Consent, Is Hit With Lawsuit.”
• Q&A: What do you say to people who say, “I don’t care about privacy because I have nothing to hide?” 

Know someone who could benefit from proactive privacy protection? Refer them to DeleteMe—they get a 20% discount and you get a $50 Amazon gift card if they sign up. 

If you think your friends or family might enjoy learning more about data privacy, feel free to forward them this newsletter.

When, in 2018, a new cafe opened in Providence, Rhode Island, it immediately caused controversy over the way it priced its coffee. 

It wasn’t that its prices were too steep. It was that the cafe did not charge some customers at all. Or at least it didn’t accept traditional currencies. Instead, it asked customers for personal data. And the permission to send them information from corporate sponsors.  

Some have called this business model “dystopian.” Others applauded the cafe for being “candid” about its data collection practices.

Whatever your opinion, the fact is that most of us trade our data for free coffee/frequent flier points/discounts every day. That is, if we participate in loyalty programs. 

There’s No Such Thing As a Free Cup of Coffee

There are many reasons why a brand might launch a loyalty program. To encourage repeat purchases, for example. Or promote brand advocacy. However, without a doubt, one of the main reasons for starting a loyalty program is to collect customer data.

When customers sign up for a loyalty program, they immediately share information like their name, gender, age, address, email address, and phone number with the company behind it.

• As they begin to participate in a loyalty scheme, shoppers let businesses find out more about them, like what they buy and when, how much they spend, and how they pay. 
• Companies can infer a lot from this information. For example, what part of the day someone shops at can tell the store whether they’re employed, whereas the products they choose can indicate how much they earn and if they’re on a budget. 

If a loyalty program has an app, brands get more data still, such as device type and identifier, location, and user activity. Some companies also purchase additional customer information from data brokers to get a more accurate picture of who their customers are. 

How Much Is Your Loyalty Worth?

Having access to detailed consumer data means businesses can sell shoppers more stuff through personalized offers. 

“This picture of who you are, what your motivations are, who you want to become, can all be used to nudge you to purchase something or even behave in a certain way,” said Campaign group Privacy International in a BBC article.

Many companies also share or sell customer information to other businesses in their group, their own data brokerage subsidiaries, or third parties like data brokers and insurers. There have even been complaints about loyalty programs sharing underage members’ information with partner credit card companies that then send them marketing materials. 

Australia’s consumer watchdog estimates that companies with loyalty schemes can generate between $71m and $241m in revenue each year from selling consumer data. 

Consumers Are Unaware of the Problem

With third-party cookies due to be phased out and consumer privacy a growing issue, loyalty programs are now seen as an alternative way to collect consumer data. 

A recent YouGov poll found that almost 9 in 10 Americans are willing to share their personal information with brands in exchange for free products, discounts, and rewards. And about 7 in 10 like it when brands send them personalized deals based on shopping history. 

But most customers that join loyalty programs have no idea how much data they end up sharing or what their data is used for. 

• This is because the vast majority of loyalty programs are not transparent, do not disclose relevant information, or fail to give customers control over their data.
• Other times, important privacy information is buried in terms and conditions that are long-winded and difficult to read. 

Not swiping a loyalty card doesn’t necessarily prevent loyalty program members from being tracked, either. Brands typically link payment data with loyalty programs, so shoppers can be tracked based on their credit and debit cards. 

A Target for Hackers

All that information collected by loyalty scheme providers has to be stored somewhere. If a data breach happens, consumers’ privacy is at risk. 

A recent breach of the IT company SITA compromised loyalty scheme member data at numerous airlines, including Lufthansa, United, and American Airlines. 

Although the breach exposed only names, status levels, and account numbers, director of global airline strategy for the fraud prevention company Forter Stuart Barwood said, in an article to Travel Weekly, that hackers would more than likely cross-link the data they stole with other loyalty program breaches. It is estimated that about 1 in 300 loyalty program log-in attempts are account takeover attacks. 

After a successful account takeover, hackers can steal rewards or personal information (including financial data—many loyalty programs are linked to debit or credit card information), which they can use themselves (for example, for identity theft) or sell on the dark web for a tidy profit. 

So, What Can You Do?

Weigh up the pros and cons of joining. Before signing up for another loyalty scheme, make sure the rewards are worth it (they rarely are). Read the privacy policies to better understand what will happen to your personal data once you start engaging with a loyalty program. 

Opt out of the sale of your data. Under the California Consumer Privacy Act, California consumers can ask any loyalty program provider to see the personal data they have on them, request for it to be deleted, and opt-out of their data being sold. The CCPA also stipulates that businesses cannot discriminate against customers who exercise their rights under the law. 

Use unique passwords. Where a loyalty program/app requires a password, make sure you create one that is unique. Otherwise, a breach at one loyalty scheme provider can jeopardize all your other accounts. 

Share minimal information. When applying for a loyalty program, never include your Social Security number or driver’s license. Most loyalty schemes will approve your application even if you leave these spaces blank. Similarly, if you’re downloading a loyalty program app, limit the permissions you give it. Consider also creating an email address just for loyalty schemes. 

Watch out for loyalty program phishing emails. Cybercriminals may attempt to steal your loyalty program information through a phishing email, so be wary of any suspicious communications. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.  

Privacy Policies for IoT Devices Incomprehensible, Finds Mozilla

Mozilla’s recent *Privacy Not Included holiday buyers guide found that privacy policies of IoT devices have gotten more complicated and incomprehensible. For example, Meta Quest Pro’s VR headset has 14 privacy documents that come to 37,700 words—6,747 words longer than Charles Dickens’ novella “A Christmas Carol”—and would take just under five hours to read. 

Meta’s New Tool Lets You Delete Your Phone Number and Email

Even if you don’t have an account with Facebook, it probably still has your phone number and email address. Now, the company has a tool that lets you check if they have this information and allows you to delete it. The tool was released by Facebook’s parent company Meta in May 2022 but did not become public knowledge until the end of October when Business Insider ran an article about it. 

Some People Are Worried Over the Kids Online Safety Act 

As some groups urge for the Kids Online Safety Act (KOSA) to be advanced, others worry that the bill, which is meant to protect children from online harms, would lead to widespread censorship. In addition, it is argued that to verify users’ age, KOSA will necessitate greater data collection, which could have a negative impact on all users’ privacy. 

Apple Tracks Users Without Consent, Is Hit With Lawsuit

Apple is collecting user data even when users turn off tracking in Settings. According to two independent researchers, Apple receives detailed information about what users do in first-party apps, as well as data about users’ iPhones. A federal class action lawsuit was filed in November, arguing that Apple violates the California Invasion of Privacy Act. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: How to stay safe this holiday season with phishing and other scams? 

A: This is a timely question, as consumers are already receiving holiday scam emails. 

What’s scary is that cybercriminals’ are changing their tactics to ensure their campaigns bypass email monitoring tools. 

Email providers like Google are taking steps to stop these scams, but because they’re “particularly aggressive,” one or two fraudulent emails are likely to slip through the net and trick unsuspecting individuals into providing sensitive information or clicking on a malware-laden link or attachment. 

Google has an article on 5 scams to watch out for specifically in the next while. 

In general, though, here are some steps you can take to protect yourself against scams, not just this holiday season but year-round:

• Don’t click or respond to suspicious texts or emails. Remember: scammers often masquerade as delivery service providers. If you get an email or text message from FedEx or USPS, contact them directly to verify their request. It’s a good idea to stay on top of new phishing lures. For instance, last year, fake employee termination notices were popular. 
• Don’t share your personal or financial information with third parties.
• Regularly check your bank statements. 
• Make sure that whatever shopping website you’re on is the real thing and not a copycat site. Watch out for slightly different URLs and logos, poor grammar and typos, and a lack of contact information. 
• Be careful about the types of apps you download. 

Q: What do you say to people who say, “I don’t care about privacy because I have nothing to hide?” 

A: International expert in privacy and professor of law at the George Washington University Law School, Daniel J. Solove, wrote a comprehensive article on this exact topic in 2011, and it’s still relevant. 

The article is well worth a read but is, unfortunately, behind a paywall. For those who are not able to access it, one of the biggest takeaways from it is how widespread the false assumption that privacy is “about hiding bad things” or a “form of secrecy” is. 

In reality, privacy abuses by information-gathering programs can hurt you in a number of ways, including:

• Aggregation, i.e., when different pieces of data are linked together to find out information about us that we might not necessarily want others to know. Solove uses the example of someone buying a book on cancer, which by itself might not indicate much. But if that same person also buys a wig, you can infer they have cancer. 
• Exclusion, i.e., individuals not knowing what data governments have on them. 
• Secondary use, i.e., using data that was collected for one reason for something unrelated and without the user’s consent. If you don’t know what your information will be used for, how can you determine the dangers of data collection? 
• Distortion, i.e., creating only a partial picture of an individual. Solove’s example is a person consuming information on manufacturing methamphetamine. Immediately, this person might be considered a danger to the public, but he may just be writing a book about a character who makes meth. 

Ultimately, Solove argues that “privacy is rarely lost in one fell swoop. It is usually eroded over time, little bits dissolving almost imperceptibly until we finally begin to notice how much is gone.” And by that time, it might be too late. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Share Incognito with friends. If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito! Stay safe and we’ll see you in your inbox next month.