Last week, we had the chance to attend Cardlinx’s forum in San Francisco, one of the four or so they host worldwide every year.  Cardlinx is an industry association for merchants, credit card issuers, and rewards/loyalty programs, with an eye towards establishing industry standards for “mobile payments, in-store offers, card-linking” and other technology tied to the Internet of Commerce Things.  Needless to say, from a data privacy perspective, there was a lot to talk about.  It was an outstanding event.

Interestingly enough, we talked about Cardlinx in Data Leverage as an organization that does great work.  Before their alignment on how to track rebates, discounts, loyalty points, and transactions, most major retailers just had stickers or punch cards. Remember those days? Now we live in a world where your loyalty program connects to your credit card which connects to your discounts and purchase information. This efficiency creates a new opportunity for every
partner in the network and each platform plays an important role.

That alignment also means, of course, that there are tracking, disclosure, consent, and compliance concerns.  A reward program that monitors all of your spending activity requires a substantial amount of transparency — from you — in order to function properly.  A consumer has to agree to provide easy access to their spending, payment, and financial information to enable card-linked programs to operate efficiently.  The implications are clear, and while cybersecurity might have been the key issue a few years ago, today the vast majority of users are more aware of, and more concerned about, the privacy of their information.

The good news?  Both the association itself and the members we spoke to were not only aware of these concerns, they were taking concrete steps to address them.  Erin Warren at Rakuten, for instance, made clear that the rewards giant has created data partnerships (including Lyft) designed to deliver better experiences to users without engaging in an all-encompassing “God mode” type of surveillance. And if there was one question we received the most, it was “how do I make sure I am being transparent enough with my customers?”  Even eighteen months ago, that question would not have been top of mind, but GDPR and CCPA have been catalysts for change, even if only in thinking.

Here are the primary points we emphasized, and to which we continue to return as we attend excellent conferences like Cardlinx Forum:

• Know, and Follow, Your Values. It isn’t enough to simply say that your company “takes privacy seriously,” which we know that you do because literally every privacy policy on the planet says so.  Lip service is actually worse than nothing, because a promise unkept is not only a GDPR violation in Europe, it’s an unfair trade practice in the US, which means that on either side of the Atlantic, you’re facing a regulatory problem.  Even if your privacy policies are aspirational, it’s important for your business to only say what you’ll actually do, and only do the things that you say. And speaking of values…
• Embrace a Culture of Privacy.  Yes, plenty of people pilloried Facebook for saying that its new business model was all about privacy.  But that doesn’t mean, as a concept, that integrating privacy into your operations is laughable.  On the contrary, privacy by design is a central tenet of the GDPR, and a functional approach to operationalizing the values we talked about above. It can be everything from training employees to deploying privacy enhancing technologies (PETs) to bringing on a data audit team — how you do this is far less important than the fact that you try at all.  Making privacy a factor in every decision you make will eventually create a data-conscious, data-savvy company that respects the rights of its customers and its partners, which is exactly how you differentiate yourself in today’s commercial climate.
• Be Strategic About Data Partnerships. This is so important to us that, you know, we wrote a book about it.  When you create relationships with data partners (and, let’s be clear, everyone is a data partner now), you have to take the time to carefully consider how you want to structure the relationship before you enter into it.  Gone are the days of inking a business deal and worrying about data flows afterwards; in fact, data due diligence is one of the fastest rising transaction cost, a partial consequence of the hundreds of billions of dollars that bad data costs US businesses each year.  You need to have a strong NDA, a strong data presentation, a clear view of how you want to control data flows, and management of derivative data rights.  If you’re not ready for this, you need to be, because your partners are.
• Don’t be “Creepy”. Yes, you can cookie the entire internet, and yes, you can use tracking technology to identify where your customers are at all times and yes, you can create a hyper-detailed profile about everyone you can find.  But do you really need to?  Really?  Behemoth companies have battalions of data scientists creating ML platforms to analyze, predict, and drive consumer behavior, and that model demands a constant stream of data, but do you?  Or do you need to know what your customer bought, what their preferences are, and what they tend to shop for?  Because the vast majority of cases, it’s the latter situation, and in those, you can simply ask the customer if they’ll share the information with you — typically, they will.  The nonstop tracking and profiling not only violates the principle of data minimization and personal respect, it’s also becoming counterproductive, as the “creepy” factor starts to take root.  Let’s put it this way: if you told your customers what you were doing with their data, would they be repulsed?  Then stop doing that.