Woolies Rewards vs Flybuys: who has the best privacy?

They’re two of the biggest data hoarders in Australia, and now the country's privacy commissioner has given his assessment on whether Woolworths and Coles’ loyalty programs are keeping in line with privacy rules.

It is estimated that 88 percent of all Australians over the age of 16 are a member of at least one loyalty program, with 65 percent of households, or 7.6 million people, signed up to Coles’ Flybuys scheme alone.

The rewards schemes keep track of what customers buy whenever they swipe their member card at the checkout, building a comprehensive record of how and when Australians spend their money. This pool of data is only growing as the supermarkets foray into insurance, credit cards, and even telecommunications.

Privacy commissioner Timothy Pilgrim recently cast his eye over both schemes to find out whether the supermarket giants were staying within the bounds of their privacy obligations.

While he found both loyalty programs to be mature in terms of privacy, Pilgrim is still sending a warning to consumers that these companies may be doing a lot of crafty analytics behind the scenes, even if they are technically operating within the Privacy Act.

“There’s no such thing as a free lunch, nor a free flight. The data that loyalty programs collect is valuable, and personal,” Pilgrim said.

“The details collected in these programs might seem insignificant on their own but when merged together they can paint a picture of who we are, what we do and how we behave.

“This information is worth a lot to organisations. So it’s important that we understand the terms of the programs we join — especially what privacy protections they include.”

Woolies vs Coles

The OAIC didn’t finding any glaring failures in either data handling regime, but Coles and Woolworths' strengths and weaknesses differ.

Access

Access to Flybuys data is restricted to a single team within the rewards program, which is responsible for delivering marketing communications to members. Actual analytics processes are conducted on provisionally de-identified data labelled by just a member number.

Woolworths holds all of its personally identifiable loyalty program data, including names and contact details, in central systems that can only be accessed by a “limited number” of rewards staff, it says.

Handing over data to third parties

Woolworths bought a 50 percent stake in analytics firm Quantium in 2013 and now exchanges de-identified rewards data with the company so it can conduct analytics on the supermarket’s behalf. Woolworths Rewards also outsources some jobs to a NZ contact centre and a US based cloud provider, meaning some of its data changes hands with these enities.

Flybuys, which serves a coalition of businesses, insists no partners have access to the loyalty scheme database. However, it does conduct analytics on behalf of these partners, enabling them to target particular promotions to Flybuys members. It also outsources some information functions to operators in South Africa, the Philippines and US.

Flybuys will also share data with the broader Wesfarmers group, a behemoth that includes Bunnings, Target, Kmart, Bi-Lo, plus a range of liquor stores and industrial firms.

Privacy policy

The Woolworths privacy policy got pass marks for clarity and completeness. However, the OAIC did urge the supermarket to be less evasive around the list of countries where it stores information.

The commission complained that some of the language in the Flybuys privacy policy was a bit vague, and should be more explicit about what “household details” entails and how it “exchanges” and “combines” personal information with partner entities.

Training

Both rewards programs give new staff some sort of mandatory privacy training upon joining, and then refresher courses every 12 months.

Dedicated privacy staff

The Woolworths Rewards ranks include a privacy officer, staff employed to handle privacy enquiries and complaints, plus a dedicated team responsible for assessing requests from access to loyalty program data.

Flybuys also employs a privacy officer, complaint staff, and a unit that helps project managers with privacy advice and corrections. The Coles scheme has also gone as far as establishing a central privacy council which makes determinations on policies and offshoring proposals, and all project approvals are channelled through its privacy compliance manager.

Complaints handling

Woolworths has a formal process for responding to complaints and correction requests, plus an IT incident response plan for responding to a data breach.

Flybuys also has a formal process for responding to complaints and correction requests and a comprehensive privacy breach management procedure, but the OAIC complained it does not include instructions for making complaints in its privacy policy, nor the timeframe in which a customer can expect a response.

Coles has said it will fix the problem ASAP.

Crafty algorithms

Woolworths and Flybuys are both, by law, obliged to explain how they use customer data in their privacy policy.

The OAIC said Woolworths' primary use of data collected via the loyalty program is to "analyse past purchasing behaviour in order to determine which products and offers are most relevant for members".

However, the supermarket also segments members "across a number of groups or sub-populations” suggesting it is building up more nuanced profiles in an attempt to predict customer behaviour.

The supermarket claims conclusions are used to target email-based marketing only.

It does not hand over the findings of its analysis to third parties, use it to target new stores to particular locations, or design the layout of its sites.

In much the same vein, the OAIC said Flybuys was only using its database for the stated purpose of conducting “targeted marketing campaigns”.

“Coles advised that they do not attempt to build profiles about individual customers. At the individual level, they keep a record of the campaigns that have been sent to each customer to avoid repetition or duplication,” the report stated.