Use of personal data within mobile applications for loyalty programs

Mobile applications open a wide range of possibilities for businesses to personalize their offer to each of their customers considering their needs, habits, location, and other information.

In practice, this almost always is the case. Businesses, while providing their loyalty programs through mobile applications, process their clients’ data. The two main aspects of personal data processing are related to collecting geolocation data using electronic communication services and collecting, and analyzing the data that is related to the habits of using the mobile app designed for loyalty discounts.

First and foremost, this raises a question: is a business entity allowed to process its clients’ geolocation data? The answer is yes, but only if the main principles of data protection are adhered to. Most importantly, the data processing must happen according to the applicable regulations, and it must be performed in good faith. Compliance with these requirements shall be comprehensively communicated by the company, for instance, respective information is made available on the privacy policy in the mobile application so that the client can read it and take a well-informed decision whether to allow the company to process specific personal data, in particular geolocation data. The privacy policy must include information on how the personal data will be processed and for what purposes it will be used.

Businesses must keep in mind that the consent to process persons’ geolocation data must be separate from any other checkboxes which provide different purposes of personal data processing activities. There must also be an option for the person to withdraw the consent for the use of personal data, after which the controller must stop all activities related to the use of this specific data.

This also brings up a question: can a business stop providing the person with the loyalty program if it later recalls his/her consent to access geolocation data? The answer to this is no. Companies cannot stop providing their clients with such services if a client withdraws his consent for the business to access his geolocation data. Such actions would be considered unlawful since they would be against the law. This is an important aspect that businesses must consider before developing a mobile application designed for loyalty programs, therefore, functionality and technical configurations of the mobile app shall be assessed beforehand.

If a person withdraws his/her consent for the use of geolocation data, the business must ensure that such a decision does not adversely affect the user. However, in practices many businesses offer their clients various types of discounts, and bonuses if they give consent for them to process their personal data. Businesses must be cautious with such practices, as such offers may clash with the main principle of obtaining consent from the client in a voluntary and uncoerced manner. Nonetheless, businesses must respect and follow the rights of the data subject established in the GDPR while processing any kind of personal data related to the person.

Businesses in Latvia must also keep in mind that if they have access to the geolocation data of other persons and if they process such data, the business must perform a data protection impact assessment. The results of the evaluation must be accounted for and properly documented to avoid a breach of data protection regulation.

Establishing such business practices will help businesses gain their client trust that their personal data will be processed according to the law and that they have full control over decisions on how and to what extent their personal data will be processed. This will not only positively affect the trustworthiness and reputation of a business, but will also expand its client base, as potential clients will acknowledge that their data will be processed safely and according to law.​