Would you like a free burrito?

6 May 2020
Dudley Kneller, Partner, Melbourne David Smith, Consultant, Melbourne

Would you download a fast food store’s mobile app, hand over your personal information, reveal your credit card details, and give access to your location data, simply to receive a free burrito?

Me too.  But how are we really paying for it?  And what happens to all of that data?

This article will let you know what you should consider from a privacy perspective before signing up to an app or loyalty program in return for a small incentive.

Apps, freebies and loyalty programs

Many retailers have their own mobile app, which often incorporates an ordering and payment function, and integrates with a loyalty program offering a free product on sign up or ongoing discounts.

It is common for an app, at the sign up stage, to require a user to provide their name, phone number, email address, home address, and debit or credit card details. In addition, access to location data is often requested to allow users to order from the nearest store, or alert them to store locations.

During the sign up process, users would likely be asked to agree to the privacy policy and terms and conditions.  These documents will set out how the information you provide at sign up, and the information collected through your purchases and use of the app, will be used.  In addition, you may be asked to ‘opt-in’ to receive direct marketing or your agreement may be sought through a provision within the terms and conditions.  Our earlier article discussed likely changes to a mandatory ‘opt-in’ model to direct marketing under the Spam Act 2003 (Cth). The best approach, as always, is to read the privacy policy and all related terms and conditions to determine exactly what it is you are agreeing to.  However, that doesn’t always occur.

We have reviewed the privacy policies of some popular apps and loyalty programs, and have summarised some interesting points in relation to how they collect and use data.

What information is collected?

In addition to the information which a user inputs during sign up, it is common for the following data to be collected:

  • the exact location of the mobile device when the app is active either in the foreground or background;
  • the times and dates when the app is active;
  • IP address; and
  • device information (such as handset model and operating system).

It is also common for companies to collect personal information from third parties.  When a company allows users to sign up using their Facebook or other social media account, there are often policies allowing information to be collected from or shared with the social media company.

When individual pieces of information are combined, particularly with information obtained from third parties, companies are able to develop a comprehensive profile of a user.

How is the information used?

A privacy policy must detail how personal information that is collected by a company is used.  Typically, this will include statements that information is collected in order to deliver a product or service.  For example, your name and credit card details are collected in order to process the payment for a product you have ordered.

However, information is typically collected for much broader purposes including:

  • to deliver direct marketing;
  • to undertake market research;
  • to run promotions;
  • to share information with related bodies corporate; and
  • to share information with third parties to run promotions.

The data collected by companies through apps and loyalty programs is valuable.  It allows them to develop a highly personalised understanding of their customers and their preferences, and allows them to offer targeted products, ‘add-ons’ to orders and promotions which assist in increasing revenue.

Reboot your privacy

Privacy Awareness Week is an appropriate time to consider what information you are handing over to companies in return for a small incentive or convenience, and how that information is being used.

Why not have a look at some of the apps on your phone?

If you are no longer using them, think about deleting your account and deleting the app.

If you are using them, consider reviewing the privacy policy to make sure you’re comfortable with how the company is using your data.  Consider your privacy controls and limiting the amount of information you provide.  This may be done by opting out of direct marketing or disabling location data.  You can also limit the information that Facebook shares with third parties through the ‘Apps and Websites’ tab within your Account Settings on Facebook.

Apps and loyalty programs lure us in with freebies and discounts, and offer great convenience.  In exchange, users offer up swathes of data and valuable information.  While that burrito might not cost any money, the adage remains true: there’s no such thing as a free lunch.


Gadens is a supporter of Privacy Awareness Week 2020


Authored by:

Dudley Kneller, Partner
Gabe Abfalter, Associate

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch