Loyalty or Liability: How safe is your data when using loyalty programmes

Loyalty programmes are one of the biggest data mines in Sri Lanka. They harvest extremely personal and private data from people and use it for profit. But how secure is the data they collect, and what guarantee do we have that it isn’t used for more than what’s advertised?

A lot of the information requested by loyalty programmes, including those from popular fashion chains, supermarkets, and cafes, is often more information than necessary. They might ask for your National Identity Card (NIC) number, full name, birth date, age, gender and more, for no clear reason. If you ask why such information is necessary, or how secure the data is with them, you’re usually met with a blank stare or vague and hurried assurances.

What happens to my data?

I?anonymously inquired from several popular retail chains, including clothing chains and supermarkets, about the security of personal data stored, which data is stored, and how much control customers have over the stored data.

Speaking with each one’s customer service hotline – the first place a customer would contact for an inquiry – none of them were able to direct us towards a dedicated representative or department that handled inquiries on customers’ personal data in their loyalty programmes.

After making repeated attempts, asking the same questions, when we weren’t directed to a marketing executive, who did their best to answer our questions, we were given an email address and asked to forward our queries through it.

Asking over the phone, we were informed that in addition to the information collected when registering for the loyalty programmes, additional data including purchase history was also being tracked. We were given assurances that the collected data is stored securely within the organisation, and is not shared with outside parties, only being used for internal purposes.?

However, we were unable to confirm the specifics on how secure the collected data is against malicious attacks from hackers, whether purchases are identifiable to each individual, and how restricted access to customers’ personal data is, internally.

Thankfully, all entities ensured that the collected personal data could be deleted from their systems upon receiving a written request. This can be done by sending an email.

Data: More valuable than oil

In 2017,?the?Economist?magazine coined data as the world’s most valuable asset and its worth has multiplied exponentially as digitalisation has continued. With Sri Lanka entering a more digitalised economy, local companies are also using data more than ever before to maximise profits.

“We are all digital citizens now, and we should especially be aware of what information we are giving to anyone. Our data is a fundamental asset that we own, and it should belong to us, not anyone else,” Cybersecurity and Privacy Advocate Asela Waidyalankara explained.

“When we think of data being used by corporations, our thoughts immediately turn to companies like Meta and Google, but we should also focus on retail companies too, including even the supermarket you go to,” he continued. “Your data is a valuable to them and is being used to make business and investment decisions. You should have control over what you are willing to share, and for how long.”

Asela pointed out that the Personal Data Protection Act No. 09 of 2022 (PDPA) enables all people, including foreigners visiting Sri Lanka, to have greater control of how personal data is gathered, how it is processed, and what it is used for.

Protecting personal data

Asela explained data protection surrounds a series of fundamental questions. “If I’m taking your data, I must tell you, what am I using it for? How am I storing it? What are the reasonable measures I’m taking to make it safe? And if you tell me, when will I delete it? I can’t hold on to it perpetually, because the data is yours.”

He added that there are also five data rights to data protection, which the PDPA protects. He shared that the PDPA is inspired by the European Good Data Protection Regulation (GDPR) standards, considered to be one of the world’s best data privacy and security laws, and incorporates similar principles and standards. Sri Lanka is the first country in South Asia to enact a specific data protection law with the PDPA.

Coming March 2025/6

Ceylon Today?also spoke with Technology, Media and Telecommunications Law Consultant Ashwini Natesan . Both she and Asela agreed that having legislation for personal data protection is a progressive step forward for Sri Lanka. They explained that while some provisions of the Act came into force in 2023 – mainly the provisions for establishing Sri Lanka’s Data Protection Authority (DPA) – other provisions will come into force by March 2025, and finally, the provision against unsolicited messages will come into force by March 2026 at the latest.?

Ensuring personal data rights

Ashwini explained that the PDPA provides expansive protection for personal data, including regulation against companies and organisations collecting more than what’s necessary for their stated purposes. This includes clearly defining what data will be gathered, and for what purpose.

“There also has to be a specified, explicit, and legitimate purpose for collecting the data. Also, the PDPA mentions specifically that the data has to be adequate, relevant and proportionate for the purpose. For example, if it’s a loyalty programme, a simple name and phone number would fulfil these requirements,” she opined.

“Also, when the purpose for collecting the data is fulfilled, there’s also protection on how long they can retain that data. Many entities have been collecting and holding user data for years, and it’s questionable whether they’ve ever really considered deleting that data.”

Informed consent is another major element in the PDPA. Entities must clearly communicate what data is being collected, and for what purpose, before providing consent, and the act also upholds the right to withdraw consent for their data being used at any given time.

The act also requires entities that collect personal data to have a specified data protection officer, who would oversee maintaining compliance with the PDPA. Data Protection Officers must also be in communication with the DPA and must also inform if a data breach takes place. The DPA then has the power to inform the public of these breaches if it has a significant impact on the general public.

“From what we see in the draft guidelines, it’s not that every company is required to appoint a separate Data Protection Officer,” Ashwini clarified. “According to the draft rules, appointment depends on the scale and magnitude of the data being collected and whether the conditions given are fulfilled.

However, all entities, both governmental and non-governmental, have to comply with the PDPA. For example, a smaller company could appoint or designate someone from their legal team who knows about the technology aspects of data protection or a technical person from the IT team to fulfil the responsibilities of a Data Protection Officer.”

Spam messages and calls

With the recent presidential and parliamentary elections, many Sri Lankans shared concern over the onslaught of spam messages and calls received for electoral campaign advertising. Many took to social media sharing their concern over receiving such messages without sharing consent to their number being used for these purposes, enough so that the Telecommunications Regulatory Commission of Sri Lanka (TRCSL) even called for explanations from telecommunication service providers regarding said promotional text messages.

“Once the provision on solicited messages comes into force by March 2026, latest, the only promotional messages we can receive will be ones we have consented to,” she highlighted. “At the moment, we have the ability to stop receiving them, by sending the ‘STOPAD’ text reply. Once the PDPA comes into force, there will be more rights on how our data is used,” Ashwini clarified.

Compliance now

Although compliance for the PDPA’s provision on unsolicited messages is set to be in effect by March 2026, the remaining provisions will be enforced by this coming March, which is only months away. Ashwini highlighted the importance of entities that handle personal data taking action now to be ready for compliance by then.

Also, from our experience, its evident that transparency to customers on handling their personal data hasn’t been a priority for many Sri Lankan retailers, especially those that collect customer data through loyalty programmes. We hope that the PDPA becomes a wake-up call for companies to be more serious about better informing the customer of how their personal data is handled, with better and clearer communication.

“We have to recognise that compliance takes a lot of time and investment,” she said. “This includes incorporating technological solutions for cybersecurity and data encryption. A lot of internal processes might also need to be streamlined and rethought. Factors such as budget and human resources need to be considered early-on.”

She also mentioned the importance of entities being aware of the draft guidelines, rules and regulations being developed by the DPA, which contribute to the PDPA coming to effect. “Since the last month or so, they have been publishing them on their website, and it’s important that stakeholders participate because it is open for public consultation.”

Better now than later

As Sri Lanka continues to embrace digitalisation, it’s important that her citizens are aware of their rights to personal data. While Sri Lanka may be the first in the region to implement these policies, the threat of personal data being misused is already a reality. We look forward to the PDPA coming to effect sooner, rather than later, and more progressive legislation to be enacted in the future.

PDPA: Your Personal Data Rights

Access to personal data:

All data subjects have the right to request access to all data that has been collected on them, and data processors and controllers must provide necessary access to them when a formal written request is made.

Right to withdraw consent and object to processing:

All data subjects have the right to withdraw any prior given consent to data collection. Once requested, any entity collecting data must cease collecting data on the user. Data collected before the request can be used, however. But, the user can request to withdraw consent on further processing as well.

Right to rectify or complete:

All data subjects have the right to rectify any outdated or obsolete data and when requested, any rectification must be made without delay. If the person responsible for handling personal data needs to keep it for legal evidence or because of a court order, they can maintain the data without rectifying, without processing the data further.

Right to be erased:

All data subjects have the right to request that all collected data on them if the collected data is contrary to the obligations of the PDPA, or when the data subject withdraws their consent upon which processing is based, or the requirement to erase personal data is required by any written law or on an order of a competent court to which the data subject or controller is subject to. Once this request is made, the data controller/processor cannot continue processing any data on the data subject.

Right to object to automated decision making:

Data subjects have the right to inform an entity handling their personal data that they object to automated decision making and processing which is likely to create an irreversible and continuous impact on their rights and freedoms.

When a written request is made by the data subject, the entity holding or processing the data must respond within 21 working days from receiving the request. A request can be refused if the matter on matters of national security, public order, any inquiry conducted, investigation or procedure carried out under any written law, the prevention, detection, investigation or prosecution of criminal offenses, the rights and freedoms of other persons under any written law, the technical and operational feasibility of the controller to act on such request, the inability of the controller to establish the identity of the data subject, and the requirement to process personal data under any written law.