No more song and dance in privacy policies – ACCC releases Customer Loyalty Schemes report

In its 149-page report on Australian loyalty schemes, the ACCC has provided five overarching recommendations – some regulatory and others advisory.


  • The ACCC is “concerned” over the state of privacy notices, with most loyalty scheme privacy policies being long, difficult to read and (in some cases) deliberately confusing.
  • Loyalty schemes are most prevalent in the airline, supermarket, credit card, hotel and car rental industries; the average Australian carries four to six loyalty cards.
  • While some loyalty operators have implemented changes in these areas, the ACCC remains ‘concerned’.
  • The ACCC recommends an updated definition of ‘personal information’ in Australian privacy law.

The Australian Competition and Consumer Commission (ACCC) has released its Final Report on Australian loyalty schemes, finding a range of business practices in the industry it finds ‘concerning’.

According to the ACCC, consumer participation in loyalty schemes is high and the average Australian carries four to six loyalty cards. Loyalty schemes are most prevalent in the airline, supermarket, credit card, hotel and car rental industries.

The five primary recommendations in the ACCC’s report are:

  1. “Improve how loyalty schemes communicate with customers”
  2. “prohibition against unfair contract terms and certain unfair trading practices”
  3. “end the practice of automatically linking members’ payment cards to their loyalty scheme profile”
  4. “improve the data practices of loyalty schemes,” and
  5. “strengthen protections in the Privacy Act and broader reform of Australian privacy law.”

Having reviewed complaints from consumers, loyalty program processes from dozens of retailers and submissions from vendors, it appears the ACCC’s chief concern lies around transparency of data collection and sharing.

The ACCC’s review also found the industry is still weighed down by terms, conditions and privacy policies that are not presented in ways consumers can readily understand.

According to the ACCC, loyalty schemes need to review their approach to presenting consumers with information and give consumers ‘meaningful control’ over their data; this includes a review of unfair contract terms, improved clarity and accessibility, minimised information overload, clear outlining of where and why consumer data is being shared and the disclosure of third-party advertising data sources.

In the ACCC’s evaluation of four of the largest loyalty schemes in Australia, privacy policies ranged from ‘difficult to read’ to ‘very difficult to read’, averaging around 3066 words.

Loyalty Scheme privacy policy reports

Source: ACCC

Aligning with this are the recommendations made in the ACCC’s Digital Platforms Inquiry, that unfair contract terms should be prohibited (not just voidable) and that Australian Consumer Law should prohibit against certain unfair trading practices (such as deceptive and deliberately misleading privacy policies).

The ACCC did note that some loyalty scheme operators have implemented or announced changes to their schemes, most with the aim of improving customer understanding in these areas.

“While acknowledging these changes, the ACCC remains concerned about a range of practices which persist within particular schemes and therefore continues to recommend changes to particular industry practices and consumer and privacy laws,” the report reads.

The ACCC is also calling for an updated definition of ‘personal information’ in the Australian Privacy Act, along with other strengthened and future-focused protections. Some reviewed loyalty scheme privacy policies made their own definitions of ‘personal information’ or included no specific definition at all. 

In addition, the ACCC advises lawmakers to require entities subject to the Privacy Act to erase the personal information of a consumer without undue delay on receiving a request for erasure from the consumer, “except in certain circumstances”.

The ACCC also stresses the importance of anonymised data and the risk of dataset re-identification, noting an instance in 2016 when the Department of Health released a de-identified dataset. A Melbourne University research team later found that the supposedly anonymised data was able to be linked back to individual people through known personal information including year of birth and known medical procedures.

The ACCC’s fourth recommendation appears to be primarily aimed at supermarket loyalty programs. According to the ACCC, both Flybuys (which is 50% owned by Coles) and Woolworths Rewards disclose within their privacy policies that they may continue to track loyalty members’ purchasing behaviours and transaction activities – when they shop at Coles or Woolworths Group stores respectively – even if they do not scan their loyalty card. Instead, the supermarket giants will link known payment cards with a members profile and track the consumer.

The ACCC says Coles, Flybuys and Woolworths Group “should end the practice of automatically linking customers’ payment cards to their loyalty scheme profile” to track their purchasing behaviour when they do not scan their loyalty card.

Further Reading:

Josh Loh
BY Josh Loh ON 11 December 2019
Josh Loh is assistant editor at