How much are loyalty schemes earning from your data?

Loyalty schemes earn big money from the data they collect about us.

Loyalty cards for New World Clubcard, Farmers, AA Smartfuel and Airpoints.

Loyalty schemes lure us with the promise our spending will be handsomely rewarded. However, these programmes aren’t just about getting customers in the door. The real prize is the personal data they collect every time you swipe your card.

Not only does this information tell retailers about your shopping habits but onselling it can also prove lucrative. Across the Tasman, some schemes are estimated to be making millions of dollars a year from selling the data they collect.

Down the data mine

As soon as you sign up for a loyalty scheme, it begins collecting information. It typically starts with your name, age, gender, address and household size. As soon as you start swiping or scanning your membership card, the programme operator starts building a profile of you and your shopping habits.

This includes what you buy, when, how much you spend and how you pay.

Some schemes, such as Fly Buys, also offer apps that collect even more information. The company’s privacy policy says that if you download the Fly Buys app, the information collected can include data about your location, device type, device identifier (IP address) and user activity, such as the website links you click on.

This data is added to your profile, which companies use to target you with tailored ads designed to get you spending.

There’s also money to be made from data sales. A 2019 report by the Australian Competition and Consumer Commission (ACCC) found some loyalty schemes were earning as much as $374 million a year from selling customer data.

As soon as you sign up for a loyalty scheme, it begins collecting information.

Schemes are also earning money from customer data on this side of the ditch. Fly Buys, which boasts 2.8 million members, said it sells customer data to companies in its programme and gets revenue from data analytics services provided to these companies. However, it declined to tell us how much.

Petrol loyalty scheme AA Smartfuel also earns revenue from selling aggregated data to its partners, though director Ian Sutcliffe said the amount was “less than $40,000” in the past financial year.

Mr Sutcliffe said AA Smartfuel also shares personally identifiable information with Countdown – where Countdown Onecard members participate in the AA Smartfuel scheme – and “non-identifiable, high-level programme information with most of our partners”.

Other major loyalty schemes we contacted also shared data with their business partners as well as undisclosed third parties (see “Loyalty scheme profiles”).

The fine print

Loyalty schemes should be telling you what data they’re collecting and what they do with it. But this information is usually buried in lengthy terms and conditions that are difficult to read and may not give you the full picture.


Combined, Fly Buys’ terms and conditions, and privacy policy run to 4868 words (see our Table). The privacy policy gets a rating of “fairly difficult to read” using the Flesch Reading Ease Test Score (calculated on the average number of words in a sentence and the average number of syllables in each word).

Air New Zealand has a 62-page privacy statement that applies to all services, including the Airpoints scheme. It gets a rating of “fairly difficult to read”.

Information on who your data is shared with is also vague. Our review of schemes’ terms and conditions found most refer to “third parties” but don’t name them. When we asked major loyalty schemes for a full list of third parties that received data, none would provide this information.

In its 2019 report, the ACCC noted the “power imbalance” between consumers and loyalty scheme operators. While schemes require consumers to give broad consent to the use of personal information, they provide hard-to-understand disclosures about how they use and share this data.

The ACCC has put loyalty schemes on notice to clean up their act and give customers clear information about what they’re doing with the data. Loyalty schemes here need to do the same. Customers should also be asked if they want to opt-in to their data being shared and sold, rather than it happening automatically.

What are the risks?

Even if you don’t mind your data being dished out to advertisers or sold to the highest bidder, data sharing increases the chances your information will fall into the wrong hands.

A major risk is data re-identification, which is where a third party crunches the numbers on “anonymous” information and matches different datasets to identify you. This can open the door for hackers to access your private information, such as email or bank details.

20jan loyalty schemes body
In July 2019, the data of 112,000 Air New Zealand Airpoints customers was hacked.

Hacking isn’t just a theoretical risk. In July 2019, the data of 112,000 Air New Zealand Airpoints customers was hacked. Information ranging from contact details to possible passport details was exposed.

Data architect Michelle Burke said the chances of your data being hacked are increasing.

“The risks come down to how much information you share. When the data is aggregated, you likely wouldn't be identifiable. However, depending on the methods used to de-identify [or] anonymise data, you could be easily identifiable.”

Ms Burke cited a 2016 study in Australia where de-identified medical records were easily re-identified by researchers at the University of Melbourne.

These risks will only increase as data collection companies are bought up by bigger operators, she said. “[As] data sets are put together, more and more information is put together about us. [In November 2019], Google purchased FitBit.”

Are they worth it?

Given customer data provides the big value for loyalty schemes, it’s little surprise the rewards they offer are frequently underwhelming.

With Fly Buys, the standard conversion rate is one Fly Buys point for every $25 spent. To earn the 1660 points needed for a pair of Apple’s $280 AirPod headphones, you’d need to spend $41,500.

Countdown’s Onecard requires you to spend $2000 to earn 200 Onecard points, which gets you a $15 supermarket voucher.

New World’s Clubcard programme requires customers to pick either Fly Buys or Airpoints as a reward programme. You can earn one Fly Buys point for every qualifying $25 you spend at New World in a single transaction.

During advertised redemption periods, customers can choose to convert their Fly Buys points to New World Dollars (one New World Dollar = NZ$1). You would need to spend $2125 to earn enough for 15 New World Dollars.

If you pick Airpoints, every qualifying $25 spent at New World will earn $0.185 Airpoints Dollars.

To earn one Airpoints Dollar at Mitre 10, you need to spend $115 (one Airpoints Dollar also equals NZ$1). A $335 Samsonite suitcase in the Airpoints store costs 469 Airpoints, so you’d need to spend $53,935 at Mitre 10 to rack up enough points.

What about fuel schemes? They’re not much better. In 2019, using the Gaspy app that compares fuel prices, we found retailers in Hastings with loyalty discounts (BP, Caltex, Mobil, New World, Pak’nSave and Z) offered the same price for regular 91 petrol, which was 13¢/L higher than the local Gull.

Our advice: you’ll usually be better off shopping by price rather than spending more just to earn points.

Data collection

It’s not just loyalty schemes collecting your data. Social media and apps also require personal information in exchange for you using them. “Free” online services, such as Facebook and Twitter, or fitness and health apps, such as Fitbit, may monetise your data by letting it be used for targeted advertising or data analytics.

Loyalty scheme profiles

Want to read the full article?

  • Heaps of buying advice so you can choose with confidence
  • Independent reviews of thousands of products and services
  • Personal advice an email or phone call away on our advice line (members only).

Member comments

Get access to comment

Ray M.
07 Mar 2020
Want privacy don't join

If you don't want your info used or sold then the only realistic solution is to not join these schemes. The old saying that 'nothing is free' applies. In return for giving you fairly small discounts the scheme owners are 'buying' information about your behaviour that they believe they can make money from.
It is a transaction where you are the product.

Tony I.
09 Feb 2020
Interesting reading

It's pretty disappointing to read "When we asked major loyalty schemes for a full list of third parties that received data, none would provide this information." I wonder how they manage to get away with this given Principle 3 of the Privacy Act. The NZ Government publication "Information privacy principles - descriptions and examples of breaches of the IPPs" (https://snapshot.ict.govt.nz/resources/digital-ict-archive/static/localhost_8000/assets/GCPO/Information-privacy-principles.pdf) makes interesting reading and states you should tell individuals "If the information will be disclosed to anyone else, and if so who?". So why not as a bare minimum require the data collectors to maintain a list on their website of who these third parties are you could reference if you wished to (and yes I do understand that the seller and receiver of our information would prefer anonymity but I'd prefer transparency of what happens with my data).
I'd also be interested in any follow-up research including a banking industry example.
Thanks for the interesting and informative report.

Viv Riddell
08 Feb 2020
Loyalty cards

Thanks for your analysis. One other thing that I didn't see in your report was the time to expire for the loyalty points. I find this particularly annoying as Countdown points need to be earned within 6 months. As a shopper for one, I don't usually get sufficient points in a 6 month period.

Renate S.
08 Feb 2020
The other side of the paranoia coin

The coin has two sides. If I get some benefit from a loyalty scheme, I do not mind if someone else also gets a benefit, e.g. those who have information about my shopping also make money with my info. So what? It is only statistics, not private info. It does not hurt me, and I am not paying or losing money if they too have some gain. To this date it has never harmed me. Hacking someone's data can happen to anyone. That is what Norton or similar software is for. But to the contrary, by enhancing their business, they can provide better service to potential clients and we are both winners. Yes there is "no need to know", but so long it does not harm ME and so long I am not paying for it, let them have their share of the cake. Stop the paranoia and scaremongering. That is not what we are paying for with our Consumers subscriptions.

Tony I.
09 Feb 2020
Response: The other side of the paranoia coin

Personally, I'm in complete disagreement with you about this. This is exactly the type of research I want consumer to be doing with my subscription.
I'd back consumer doing one of their campaigns on this subject.
If you think Nortons on your local machine will help protect your PII data from enterprise hacking you need to educate yourself some more.
The Netflix documentary - THE GREAT HACK is sobering viewing on what is being done with our data, and that is just the tip of the iceberg.

Marysia V.
11 Feb 2020
Not paranoia or scare mongering

We absolutely do need to know what happens to our data in these schemes. The fact that the companies would not tell us exactly who our data is shared with is very concerning. If one of these partner companies is hacked and they have our data, then we are at risk. If they share sensitive data with insurance companies (esp. Health Insurers) then you might not be able to get affordable insurance. The flow on effect is significant. I find it totally unacceptable that they have refused to tells us who they share our data with, and I feel that they are in breach of the intent of the NZ Privacy Act. We need consumer to keep analyzing these companies and informing us of rights. We need a campaign to force them to tell us where our data is sold and/or shared, and for us to opt in/out of their data sharing/selling.

Bob F.
08 Feb 2020
Great Research to Publicise Widely

This is great analysis of an increasingly troublesome threat to the individual's privacy and autonomy. Hopefully Consumer will follow this up to find out and further publicise how this harvested information is used to target us, and by whom, but also to work on our behalf to lobby government to block as much of this intrusive exploitation as possible. Heartfelt thanks to both Consumer and Researcher. Keep it up!

John M.
08 Feb 2020
Loyalty schemes selling of your info.

There is nothing to stop you when you initially join one of these schemes to enter completely erroneous information! Sure they still know when you shop and what you buy but if you are a 20 yo male but are registered as a 90yo trans, then their info is not very accurate. So if we ALL deliberately mislead them most of their info would be crap.

Stephen G.
08 Feb 2020
?Too late to stop

Certainly the monetary value is hardly worth the risks, though there is always something great about using my true rewards loyalty points for a "free" shop at Farmers.
I wonder if I ceased swiping my loyalty cards now and cancelled them, I would imagine that the already received data continues to be available and thus is a part of the collective available for future hacking? Any comments?