Data Privacy Day: How loyalty programmes track your data

International Data Privacy Day on 28 January usually brings a wave of advice about passwords and privacy settings.

Most of us tune it out.

We fall back on the comfortable, dangerous cop-out: "I am boring. I have nothing to hide."

Richard Ford, Chief Technology Officer at cybersecurity specialist Integrity360, argued that this apathy is our greatest vulnerability.

"Most of us would feel deeply uncomfortable if our medical records, therapy notes, or credit score were shared with colleagues or posted on the street WhatsApp group. That natural recoil proves we all have information we want to keep private. The problem is not that we don't care; it is that we don't see where the data goes," Ford said.

The invisible supply chain

When you start receiving spam SMSes or scam calls, it is easy to assume your number was stolen in a hack. In reality, it was likely sold.

Data has a supply chain, just like retail goods. You might give your details to a legitimate gym app or an online clothing store. You trust them. But behind the scenes, that app relies on third-party aggregators and marketing partners to function. Your data travels to them.

They may mix it with information from other sources, your location history, your spending habits, and sell those refined lists to marketing firms.

"You signed up with a brand you know. But behind the scenes, there is an entire ecosystem of vendors you have never heard of," Ford explained.

"Privacy isn't just about what you share; it is about who your vendors share it with."

The high cost of a free coffee

In South Africa, loyalty programmes are practically a second currency.

We swipe for points, miles, and cash-back without hesitation. But the exchange rate can be steep.

"When you swipe for a free coffee, you are often trading deep behavioural data. You are telling a system what you buy, exactly when you buy it, which branch you visit, and how price sensitive you are," Ford added.

This creates a "digital twin" of your life that is incredibly valuable to advertisers. While this can lead to better service, consumers need to check the fine print. Look for vague phrases in Terms and Conditions like "sharing for business purposes" or "with select partners".

These often opens doors for your data to leave the safety of the organisation you trust.

"When you click 'I Agree' on a major software ecosystem’s prompt, or a comprehensive loyalty programme, you aren't just skipping a flyer. You are effectively skipping the entire script of Macbeth, which is around 17 000 words," Ford said.

"If you signed up for just three new major apps or services this year without reading the T&Cs, you likely skipped a word count equivalent to George Orwell’s Animal Farm (30,000 words). 

“You wouldn't sign a mortgage without reading it, yet we sign away our digital rights in 'novels' we never read."

The SME blind spot: Shadow IT

This risk shifts from personal annoyance to professional liability for business owners.

In the drive for efficiency, employees often sign up for free online tools – PDF converters, AI text generators, or project management apps – using their work email addresses. This is known as "Shadow IT".

"If you are a business owner and your employees are using cheap, unvetted software to run payroll or process client documents, you are exposing your organisation," warned Ford.

"When an employee clicks 'I Agree' on a free tool, they might be granting that vendor rights to the data they upload. You are effectively outsourcing your security to a company you have never vetted."

Business owners do not need to be lawyers, but they must treat software procurement with the same caution as hiring a physical security guard. If the software is free, your business data is likely the payment.

Taking control

One of the most dangerous permissions we grant is the "Sign in with..." button. It is convenient, but if the third-party app is compromised, unknown parties could inherit access to your primary email or cloud accounts.

"As a rule of thumb, if an app asks for permission that doesn't match its function – like a torch app wanting your contacts list – delete it," advises Ford.

You don't need to go off the grid to be safe. It is about reducing the surface area of your risk. Check your app permissions. Read the "Third Party" clause in the contract, at least.

"Being mindful of data privacy simply means vetting the company you keep. Even if you think you have nothing to hide, you certainly have something worth protecting," Ford said. 

BUSINESS REPORT