Valentine’s Day is just around the corner, and with it comes the opportunity for companies to launch promotional campaigns via loyalty programs. These initiatives can enhance customer relationships and increase sales. But beware: while your customers’ love is precious, their trust in how you manage their personal information is crucial. In Québec, Law 25 strengthened the obligations set out in the Act respecting the protection of personal information in the private sector (“Private Sector Act”),[1] and these rules apply to promotional campaigns and loyalty programs.
What you need to know
The Private Sector Act imposes obligations on organizations that collect, use or disclose personal information. These seven key principles should be followed to ensure your campaign complies with the Private Sector Act:
1. Consent:The obligation to obtain consent is closely linked to the distinction between “primary” and “secondary” purposes. A primary purpose[2] is one that concerns the provision of a service or product requested by the individual, or access to a job, and which is announced at the time of collection. Secondary purposes refer to all other purposes pursued by an organization. An organization should obtain consent that satisfies all eight validity criteria when it wishes to use or disclose personal information for secondary purposes.[3] For more information on the rules governing consent under Québec law, please consult our previous bulletin on this subject.
2. Profiling: Using technology to analyze customer habits and behaviour for personalized promotions is called profiling.[4] In such cases, organizations must inform individuals of the use of such tools and the means by which they can activate the profiling functions. In other words, it must obtain express consent before starting to target future valentines.
Please note that consent for sending newsletters is generally insufficient for profiling an individual.
What is profiling?
Profiling refers to the collection and use of personal information to assess certain characteristics of an individual, in particular for the purpose of analyzing the individual’s work performance, economic situation, health, personal preferences, interests or behaviour.
3. No to data lakes: An organization may not collect personal information “just in case,” for example, to create data lakes whose use is determined at a later date. The information must be collected for a specific purpose, which is disclosed to the individual concerned at the time of collection of the personal information. In other words, personal information[5] in a data lake is generally unusable without the consent of the individuals for the intended uses. Plan your program in advance.
4. Privacy Impact Assessment (PIA): A loyalty program could trigger the requirement for a PIA, which applies to any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information.[6] A second PIA may also be required if personal information is communicated or processed outside Québec, for example, if the service provider of the platform used is located outside Québec.[7]
5. Contracts with suppliers: If you outsource the management of your loyalty program or personalized offer campaign to a third party, make sure you have a written contract in place, which at a minimum includes the mandatory content of the Private Sector Act.[8]
6. Withdrawal of consent: Remember that individuals can change their minds.[9] In your communications, make it easy for recipients to withdraw their consent for commercial prospecting.[10] For loyalty programs, offer a simple and easy way to withdraw from the program.
7. Data retention: Once the purpose for which personal information was collected has been fulfilled, it must be destroyed, unless an obligation allows for extended retention.[11] Set legal retention periods and destroy the information once this period has been reached.
Tips for a lasting relationship
- Clarify your intentions: Communicate the purposes for which personal information will be used transparently to your customers, upon collecting their information.
- Get individuals to say “yes”: Obtain valid consent from the individuals concerned.
- Protect those who love you: Demand contractual guarantees for the protection of your customers’ information and, where appropriate, analyze the risks of your campaign or program using a PIA.
A well-designed loyalty program can strengthen your ties with your customers, but don’t forget: their trust is the most precious gift of all.
