Data Protection, GDPR, Cookies & Consent
      Back to home
      1. Knowledge Base
      2. Data Protection, GDPR, Cookies & Consent

      Loyalty Points & Marketing Consent – GDPR Compliance Guidance

      Recommendation Against Restricting Loyalty Points to Marketing-Only Users

      Overview

      As part of our ongoing efforts to support compliant, ethical, and effective customer engagement, we want to provide guidance on the use of loyalty points in conjunction with marketing consent under the General Data Protection Regulation (GDPR).

      Specifically, we do not recommend blocking access to loyalty points for users unless they opt in to marketing communications. Below, we outline the reasons for this position and provide alternatives that achieve marketing goals while remaining GDPR-compliant.

      Key Reason: GDPR Requires Freely Given Consent

      Under GDPR, consent to marketing must be:
      - Freely given
      - Specific
      - Informed
      - Unambiguous

      Article 7(4) of GDPR explicitly warns against making access to services conditional on marketing consent when that processing is not necessary for the core service.

      "When assessing whether consent is freely given, utmost account shall be taken of whether... the performance of a contract... is conditional on consent to the processing of personal data that is not necessary..."

      This means that tying access to loyalty points—a feature many users view as core to the service—to a marketing opt-in would likely invalidate the consent and potentially expose the brand and platform to compliance risks.

      Why Loyalty Points May Be Considered Core


      In food and ordering apps, loyalty programs are often:
      - Prominently advertised
      - A key driver of repeat engagement
      - Viewed as a basic reward for purchases

      Blocking points unless a user agrees to marketing can be seen as coercive and may result in:
      - Regulatory scrutiny or fines
      - User complaints or distrust
      - Reduced opt-in quality (users opting in just to access benefits, not actual interest)

      Recommended Alternatives


      Approach

      GDPR Risk

      Description

      Block all loyalty points unless user opts into marketing

      🚫 High

      Likely not valid consent

      Award extra rewards or exclusive perks for subscribers

      ✅ Low

      Opt-in is optional and incentivised, not required

      Create marketing-only offers separate from core loyalty points

      ✅ Low

      Maintains consent integrity

      Example of a Compliant Incentive


      “All customers earn loyalty points on purchases. Subscribe to our marketing updates and receive extra rewards, surprise treats, or access to exclusive promotions!”

      This ensures:
      - Points remain accessible to all
      - Marketing opt-in is meaningful but optional
      - The program stays GDPR-compliant


      Company Responsibility for Compliance

      Please note that the guidance provided in this document reflects our recommended best practices to support GDPR-compliant customer engagement. However, as the business using the platform, you act as the Data Controller and are ultimately responsible for ensuring your use of personal data — including how you link marketing consent to loyalty features — complies with GDPR and any other applicable privacy laws. You are free to request text or flow changes within the platform to align with your own legal advice and compliance strategy.


      Conclusion

      To protect both your brand and your users, we strongly advise against restricting core loyalty features to only those who opt into marketing. Our platform supports flexible and compliant ways to incentivise marketing participation without creating legal risk.

      If you'd like help designing a GDPR-compliant loyalty and marketing flow, our team is happy to assist.