After a lengthy investigation, the Italian Data Protection Authority has fined leading retailer GS € 54.000,00 over its use of data collected from loyalty card scheme members for various marketing-related purposes. Marialaura Boni and Piero Francesco Vigano of Studio Legale Associato in Milan investigate.
Topic: Privacy
Who: Italian Data Protection Authority and GS
When: 20 March 2008
Where: Italy
Law stated as at: 20 March 2008
What happened:
On 20 March 2008, the Italian Data Protection Authority (“Garante”) made a finding against GS – a major nation-wide retail chain – applying a fine of €54,000.00 for breach of article 13 of the Italian Data Protection Code (Legislative Decree n. 196 of 30 June 2003). The grounds were that GS did not provide its customers with a complete information notice regarding the purposes of the use of their personal data collected when subscribing to a loyalty programme.
The facts
After issuing a General Provision with regards to loyalty cards on 24 February 2005, at the end of 2005 the Garante commenced investigations regarding the use of customers' personal data as processed by GS for profiling and marketing purposes.
On 16 May 2006, the Garante raised issue with GS that in carrying out the operations aimed at issuing the loyalty card, it subjected customers' data to profiling with a view to conducting targeted marketing activities, but did not ask for the clients’ consent in order to perform such processing, as required by the Italian Data Protection Code and by the General Provision issued by the Garante with regard to loyalty cards.
In particular, GS collected cardholders’ personal information (such as names, expenses, jobs, mail addresses, telephone numbers, and other analytical information relating to tastes, preferences, needs, consumption choices, and favourite shops) without duly informing data subjects. All said information allowed GS to create profiles of its clients, to evaluate how loyal they were, to rank them and to localize them with respect to each point of sale throughout the national territory. The resulting profiles were used in order to implement tailor-made advertising campaigns and send personalized advertising materials.
GS amends practices but still does not avoid sanction
During the Garante’s investigation, GS had changed its information notice by adding mention of both the profiling and the marketing activities. It also changed the form used to collect the clients’ consent, but even the amended form was not fully compliant with the legal requirements as GS did not ask for specific consent to the profiling and marketing activities as set forth in the General Provision.
Given that the amendments to the information notice were inadequate, the Garante (i) sanctioned GS, (ii) ordered it to stop using the illegitimately collected client data and (iii) ordered it to take any necessary or appropriate measure in order to bring processing operations into line with legislation as set forth in his aforementioned General Provision.
In addition, the General Provision makes specific recommendations, being:-
- the information notice must point out every purpose of data processing and in particular it must clearly and specifically refer to the performance of profiling and/or marketing activities;
- the information must specify that providing one's data and consent for the above purposes is optional and not necessary for obtaining the loyalty card;
- the consent to profiling and/or marketing activities should be given separately from the consent given to standard activities related to the loyalty programme, such as awarding the relevant benefits;
- individuals can be profiled only by using anonymous and/or non identifying data;
- data should be retained for no more then twelve months for profiling purposes and twenty four months for marketing purposes.
Why this matters:
As well as identification and contact details, other information not required in order to confer the benefits afforded by loyalty cards (e.g. education, job title, interests, habits, preferences, shopping habits) is often collected with regard to customers. In addition the scope and number of loyalty programmes within Italy has expanded considerably to include not only the marketing of consumer goods, but also credit, telephony, publishing, leasing, and other services. Thus the recommendations referred to in the General Provision with regard to chain retailers are of a general character and can be applied to these and several other industry sectors.
The Garante considers that the analysis of consumption habits and choices determines relevant risks to data subjects and is carefully overseeing this growing phenomenon and seeking to bring these processing operations in line with the legislation. In its 20 March 2008 finding in the GS matter, for the first time the Garante sanctioned – remarkably applying the highest permitted fine – the illegitimate collection and use of personal data for profiling and marketing activities.
As a consequence, the recommendations of the General Provision along with its strict application by the Garante are inevitably making it even harder to collect and use personal data for profiling and marketing purposes.
Marialaura Boni
Lawyer, Media and Intellectual Property Team
SLA* – Milan – Italy
boni@sla.it
Piero Francesco Viganò
Trainee Lawyer, Media and Intellectual Property Team
SLA* – Milan – Italy
pvigano@sla.it